>samit_hota
Back to adversary profiles
G1034HighActive

Daggerfly (G1034): An Adaptive PRC-Linked Espionage Group

Samit Hota·
Suspected Origin
China
Motivation
Espionage, Intelligence Gathering, Information Theft
Aliases
Evasive Panda, BRONZE HIGHLAND
Target Sectors
Government, NGOs, Telecommunications, Civil Society, Human Rights, Academic, Religious
Associated Malware
MgBot, MACMA, Nightdoor, CloudScout, PlugX, Cobalt Strike, KsRemote, AnyDesk (abused)
#threat-actor#g1034

Overview

Daggerfly, tracked by the MITRE ATT&CK framework as G1034, is a highly capable Advanced Persistent Threat (APT) entity known to operate with strong links to the People’s Republic of China. Active since at least 2012, this group is also widely recognized by its aliases, Evasive Panda and BRONZE HIGHLAND, and has been referred to as StormBamboo and StormCloud by some researchers. Daggerfly’s primary motivation is cyber espionage and intelligence gathering, aligning with strategic national interests to collect sensitive information from a broad spectrum of targets.

The group’s targeting reflects Beijing’s geopolitical interests, focusing on individuals, government entities, and Non-Governmental Organizations (NGOs), as well as telecommunication companies, religious and academic institutions, and civil society groups. Geographically, Daggerfly’s operations span across Asia, including mainland China, Hong Kong, Macao, Taiwan, Vietnam, Myanmar, Philippines, India, Malaysia, and Tibet. They have also consistently targeted African nations, notably Nigeria, South Africa, and the Central African Republic. Interestingly, some campaigns have even affected networks within mainland China, potentially indicating third-party surveillance or misattribution. Daggerfly is a well-resourced and highly adaptable group, consistently updating its toolset in response to exposure to maintain its espionage activities.

Tactics & Techniques

Daggerfly employs a diverse set of tactics, techniques, and procedures (TTPs) for initial access, persistence, and information collection. A common initial compromise vector involves supply chain infection campaigns, where the group distributes trojanized software updates for legitimate applications. They have notably hijacked update channels for popular Chinese software, delivering malware to users in mainland China, including an international NGO. Spear-phishing with malicious attachments is another favored method, particularly against pro-democracy activists.

The group also leverages strategic website compromises, known as watering hole attacks, observed targeting users in Hong Kong and, more recently, Tibetan communities through compromised websites related to religious festivals or language translation software. Vulnerability exploitation, such as weaknesses in Apache HTTP servers, has also been documented as an initial access point to deliver their primary malware. More advanced techniques include Adversary-in-the-Middle (AiTM) attacks and DNS poisoning to redirect legitimate update requests to attacker-controlled infrastructure, enabling the stealthy delivery of their payloads.

For execution, Daggerfly frequently utilizes living-off-the-land (LotL) tools like PowerShell and BITSAdmin to download and execute remote files. They are adept at DLL side-loading, often abusing legitimate software such as Rising antivirus or DAEMON Tools Lite Helper, to load malicious DLLs. Persistence is often achieved through the creation of local accounts on victim machines and the establishment of scheduled tasks. To evade defenses, they inject decrypted payloads into legitimate processes like svchost.exe and use code signing certificates for malicious macOS files. Credential access is a significant focus, with techniques including dumping Security Account Manager (SAM), System, and Security registry hives, utilizing credential harvesting utilities like GetCredManCreds, and stealing web session cookies from browsers such as Firefox, Chrome, and Edge.

For internal discovery and collection, Daggerfly’s toolkit includes modules for network scanning (ARP and HTTP/server service scans), collecting local domain user and permission information, identifying local administrators, and enumerating Active Directory services. Data collection capabilities are extensive, covering keylogging (with a focus on the QQ chat application), capturing screenshots, recording audio, exfiltrating clipboard data, and collecting specific file types or files from USB drives and CD-ROMs. Command and Control (C2) typically relies on HTTP communications, but more advanced implants like Nightdoor can leverage Google Drive API for covert C2.

Notable Campaigns

Daggerfly has been linked to numerous significant campaigns since its inception. In 2020-2021 and continuing into 2023, the group focused on users in mainland China, particularly members of an international NGO, by compromising legitimate Chinese software update channels to distribute their MgBot malware. In 2021, they conducted watering hole attacks targeting users in Hong Kong, deploying their MACMA macOS backdoor.

A notable campaign in 2022 involved the use of their CloudScout toolset against a religious institution and a government entity in Taiwan. This operation aimed to steal web session cookies to facilitate data exfiltration from cloud services. Between November 2022 and November 2024, Daggerfly executed a prolonged campaign targeting telecommunication service providers in Africa, with some indications of targeting Asian and Middle Eastern subsidiaries of telecom firms. This campaign showcased new MgBot plugins, the use of PlugX loaders, and the abuse of legitimate AnyDesk remote desktop software. During this same period, they also used AiTM attacks and DNS poisoning to deploy MgBot against victims in China, India, and Türkiye. Mid-2023 saw attacks targeting Tibetan individuals through compromised websites of religious festivals and supply-chain compromises involving Tibetan language translation software.

Most recently, in 2024, Daggerfly demonstrated its adaptive nature by deploying an extensively updated toolset in attacks against organizations in Taiwan and a U.S. NGO operating within China. These operations involved exploiting Apache HTTP server vulnerabilities to deliver MgBot and other updated malware, including new variants of MACMA and Nightdoor. Malware delivery was also observed through Tencent messaging software in some instances.

Associated Malware & Tools

Daggerfly maintains a sophisticated and continuously evolving arsenal of custom malware and off-the-shelf tools:

  • MgBot (S1146): This is Daggerfly’s flagship modular backdoor, written in C++, and has been exclusively associated with the group since at least 2012. It is under active development and features a wide array of plugins for comprehensive information gathering, including system information, file collection, network scanning (ARP, HTTP/server service scans), credential harvesting from numerous browsers and email clients (Chrome, Firefox, Edge, Outlook, Foxmail), keylogging (specifically for QQ chat), screenshots, audio capture, clipboard data theft, Active Directory enumeration, QQ message history collection, USB/CD-ROM data acquisition, and a process watchdog.
  • MACMA: A macOS backdoor initially documented in 2021 by Google’s Threat Analysis Group (TAG). Symantec has since linked MACMA to Daggerfly through overlapping command-and-control infrastructure and shared code libraries with other Daggerfly tools. It is capable of harvesting sensitive information and executing arbitrary commands, often deployed in watering hole attacks.
  • Nightdoor (aka NetMM, Suzafk): This is a Windows backdoor that distinguishes itself by leveraging the Google Drive API for command-and-control communication. It shares underlying development frameworks with MgBot and MACMA, indicating a common malware development ecosystem within the group.
  • CloudScout: A professional-grade, .NET-based post-compromise toolset designed specifically for retrieving data from various cloud services like Google Drive, Gmail, and Outlook. It operates by hijacking authenticated web sessions through the use of stolen cookies, thereby bypassing multi-factor authentication. CloudScout is engineered to work seamlessly with the MgBot framework.
  • PlugX: A well-known remote access trojan often employed by Daggerfly as a loader for subsequent payloads.
  • Cobalt Strike: Daggerfly frequently abuses this legitimate adversary simulation software for post-exploitation activities, including maintaining remote access and executing further commands.
  • KsRemote: An Android Remote Access Trojan (RAT) utilized in mobile-centric espionage operations.
  • Abused Legitimate Software: The group has a history of incorporating and abusing legitimate applications such as AnyDesk for remote desktop access and specific antivirus software (e.g., Rising antivirus) for DLL side-loading purposes.
  • Other capabilities: Daggerfly’s extensive resources also suggest capabilities to Trojanize Android APKs, intercept SMS messages and DNS requests, and even develop malware families targeting the Solaris operating system.

Current Status

Daggerfly remains an active and persistent threat actor. Having been operational since at least 2012, recent reporting indicates ongoing campaigns as recently as mid-July 2025. The group’s flagship malware, MgBot, continues to be under active development, with new plugins and versions observed through 2024, demonstrating consistent investment in their capabilities.

A significant observation in 2024 was Daggerfly’s extensive update to its entire toolset, including new variants of MgBot, MACMA, and the introduction of Suzafk (Nightdoor). This rapid evolution of their malware and TTPs is likely a direct response to public exposure and analysis of older variants, underscoring their adaptive nature and determination to bypass detection. Recent attacks in 2024 targeting entities in Taiwan and a U.S. NGO in China highlight their continued focus on strategic targets. The observed campaign leveraging AiTM and DNS poisoning from November 2022 to November 2024 further attests to their sustained and sophisticated operations. Daggerfly is a well-resourced and highly adaptable group capable of quickly updating its toolset to continue its espionage activities with minimal disruption. Their consistent activity and evolution make them a significant and ongoing cyber espionage threat.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call