Espionage Group Daggerfly Revamps Toolset, Expands Targets in Wake of Malware Exposure
The notorious espionage group Daggerfly, also known as Evasive Panda and Bronze Highland, has undergone a significant overhaul of its cyber arsenal, likely spurred by the public disclosure of its older malware variants. According to a report from Symantec’s Threat Hunter Team, these updates likely respond to the exposure of older variants. The updated tools have been used in attacks on organizations in Taiwan and a U.S. NGO based in China, suggesting the group is also engaged in internal espionage.
Among the new additions to Daggerfly’s toolkit is a new malware family based on the group’s MgBot modular framework and a new version of the Macma macOS backdoor. The Macma backdoor, previously of unknown authorship, has now been attributed to Daggerfly by Symantec’s team.
First documented by Google in 2021 but in use since at least 2019, Macma is a modular macOS backdoor. Initially distributed via watering hole attacks in Hong Kong, Macma targeted macOS devices using a privilege escalation vulnerability (CVE-2021-30869). The backdoor’s functionalities include:
- Device fingerprinting
- Command execution
- Screen capture
- Keylogging
- Audio capture
- File uploading and downloading
Symantec’s recent findings reveal ongoing development of Macma, with new versions displaying updates such as:
- Different main module configuration data
- Incremental updates to existing functionality
- Updated modules and file paths
- Enhanced debug logging
A notable modification includes new logic for collecting a file’s system listing based on the Linux/Unix utility “Tree.” Additionally, a new configuration file, param2.ini, relates to a feature named “autoScreenCaptureInfo.”
Symantec’s report provides compelling evidence linking Macma to Daggerfly. Two Macma variants connected to a command-and-control (C&C) server also used by an MgBot dropper. Shared infrastructure and code between Macma and other Daggerfly tools, including threading, event notifications, and platform-independent abstractions, further support this attribution.
The espionage group Daggerfly has also introduced a new Windows backdoor, Trojan.Suzafk, first documented by ESET in March 2024 as Nightdoor (aka NetMM). Developed using the same shared library as MgBot and Macma, Suzafk is a multi-staged backdoor capable of using TCP or OneDrive for C&C. Its loader drops Engine.dll and MeitUD.exe, the latter being a legitimate application used for persistence and payload loading.
Suzafk features code from the al-khaser project, a public repository for detecting virtual machines and malware analysis environments. It creates specific folders and stores network configuration data XOR encrypted with the key 0x7A. The backdoor executes commands such as ipconfig, systeminfo, tasklist, and netstat through a cmd.exe shell.
The group can target major operating systems, including Windows, macOS, Linux, and Android. In addition to the documented tools, Daggerfly has demonstrated the ability to Trojanize Android APKs, intercept SMS messages and DNS requests, and even develop malware targeting the Solaris OS.
