{ "id": "37321769-aaee-49ed-a04c-d901836d57e2", "created_at": "2026-04-06T00:12:49.330683Z", "updated_at": "2026-04-10T03:36:00.063325Z", "deleted_at": null, "sha1_hash": "45c31eaf4df2dd5ba362f2b24a06579e0146a4eb", "title": "Evasive Panda leverages Monlam Festival to target Tibetans", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2102598, "plain_text": "Evasive Panda leverages Monlam Festival to target Tibetans\r\nBy Anh HoFacundo MuñozMarc-Etienne M.Léveillé\r\nArchived: 2026-04-05 16:14:27 UTC\r\nESET researchers discovered a cyberespionage campaign that, since at least September 2023, has been victimizing Tibetans\r\nthrough a targeted watering hole (also known as a strategic web compromise), and a supply-chain compromise to deliver\r\ntrojanized installers of Tibetan language translation software. The attackers aimed to deploy malicious downloaders for\r\nWindows and macOS to compromise website visitors with MgBot and a backdoor that, to the best of our knowledge, has not\r\nbeen publicly documented yet; we have named it Nightdoor.\r\nKey points in this blogpost:\r\nWe discovered a cyberespionage campaign that leverages the Monlam Festival – a religious gathering – to\r\ntarget Tibetans in several countries and territories.\r\nThe attackers compromised the website of the organizer of the annual festival, which takes place in India,\r\nand added malicious code to create a watering-hole attack targeting users connecting from specific\r\nnetworks.\r\nWe also discovered that a software developer’s supply chain was compromised and trojanized installers for\r\nWindows and macOS were served to users.\r\nThe attackers fielded a number of malicious downloaders and full-featured backdoors for the operation,\r\nincluding a publicly undocumented backdoor for Windows that we have named Nightdoor.\r\nWe attribute this campaign with high confidence to the China-aligned Evasive Panda APT group.\r\nEvasive Panda profile\r\nEvasive Panda (also known as BRONZE HIGHLAND and Daggerfly) is a Chinese-speaking APT group, active since at\r\nleast 2012. ESET Research has observed the group conducting cyberespionage against individuals in mainland China, Hong\r\nKong, Macao, and Nigeria. Government entities were targeted in Southeast and East Asia, specifically China, Macao,\r\nMyanmar, The Philippines, Taiwan, and Vietnam. Other organizations in China and Hong Kong were also targeted.\r\nAccording to public reports, the group has also targeted unknown entities in Hong Kong, India, and Malaysia.\r\nThe group uses its own custom malware framework with a modular architecture that allows its backdoor, known as MgBot,\r\nto receive modules to spy on its victims and enhance its capabilities. Since 2020 we have also observed that Evasive Panda\r\nhas capabilities to deliver its backdoors via adversary-in-the-middle attacks hijacking updates of legitimate software.\r\nCampaign overview\r\nIn January 2024, we discovered a cyberespionage operation in which attackers compromised at least three websites to carry\r\nout watering-hole attacks as well as a supply-chain compromise of a Tibetan software company.\r\nThe compromised website abused as a watering hole belongs to Kagyu International Monlam Trust, an organization based in\r\nIndia that promotes Tibetan Buddhism internationally. The attackers placed a script in the website that verifies the IP address\r\nof the potential victim and if it is within one of the targeted ranges of addresses, shows a fake error page to entice the user to\r\ndownload a “fix” named certificate (with a .exe extension if the visitor is using Windows or .pkg if macOS). This file is a\r\nmalicious downloader that deploys the next stage in the compromise chain.\r\nBased on the IP address ranges the code checks for, we discovered that the attackers targeted users in India, Taiwan, Hong\r\nKong, Australia, and the United States; the attack might have aimed to capitalize on international interest in the Kagyu\r\nMonlam Festival (Figure 1) that is held annually in January in the city of Bodhgaya, India.\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 1 of 26\n\nFigure 1. Kagyu Monlam’s website with the dates of the festival\r\nInterestingly, the network of the Georgia Institute of Technology (also known as Georgia Tech) in the United States is among\r\nthe identified entities in the targeted IP address ranges. In the past, the university was mentioned in connection with the\r\nChinese Communist Party’s influence on education institutes in the US.\r\nAround September 2023, the attackers compromised the website of a software development company based in India that\r\nproduces Tibetan language translation software. The attackers placed several trojanized applications there that deploy a\r\nmalicious downloader for Windows or macOS.\r\nIn addition to this, the attackers also abused the same website and a Tibetan news website called Tibetpost – tibetpost[.]net –\r\nto host the payloads obtained by the malicious downloads, including two full-featured backdoors for Windows and an\r\nunknown number of payloads for macOS.\r\nFigure 2. Timeline of events related to the attack\r\nWith high confidence we attribute this campaign to the Evasive Panda APT group, based on the malware that was used:\r\nMgBot and Nightdoor. In the past, we have seen both backdoors deployed together, in an unrelated attack against a religious\r\norganization in Taiwan, in which they also shared the same C\u0026C server. Both points also apply to the campaign described in\r\nthis blogpost.\r\nWatering hole\r\nOn January 14th, 2024, we detected a suspicious script at https://www.kagyumonlam[.]org/media/vendor/jquery/js/jquery.js?\r\n3.6.3.\r\nMalicious obfuscated code was appended to a legitimate jQuery JavaScript library script, as seen in Figure 2.\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 2 of 26\n\nFigure 3. The malicious code added at the end of a jQuery library\r\nThe script sends an HTTP request to the localhost address http://localhost:63403/?callback=handleCallback to check\r\nwhether the attacker’s intermediate downloader is already running on the potential victim machine (see Figure 3). On a\r\npreviously compromised machine, the implant replies with handleCallback({\"success\":true }) (see Figure 4) and no further\r\nactions are taken by the script.\r\nFigure 4. The JavaScript code that checks in with the implant\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 3 of 26\n\nFigure 5. The implant answering the JavaScript check-in request\r\nIf the machine does not reply with the expected data, the malicious code continues by obtaining an MD5 hash from a\r\nsecondary server at https://update.devicebug[.]com/getVersion.php. Then the hash is checked against a list of 74 hash values,\r\nas seen in Figure 6.\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 4 of 26\n\nFigure 6. An array of hashes stored in the malicious JavaScript\r\nIf there is a match, the script will render an HTML page with a fake crash notification (Figure 7) intended to bait the visiting\r\nuser into downloading a solution to fix the problem. The page mimics typical “Aw, Snap!” warnings from Google Chrome.\r\nFigure 7. A fake graphic rendered by the JavaScript\r\nThe “Immediate Fix” button triggers a script that downloads a payload based on the user’s operating system (Figure 8).\r\nFigure 8. Download URLs for Windows and macOS\r\nBreaking the hash\r\nThe condition for payload delivery requires getting the correct hash from the server at update.devicebug[.]com, so the 74\r\nhashes are the key to the attacker’s victim selection mechanism. However, since the hash is computed on the server side, it\r\nposed a challenge for us to know what data is used to compute it.\r\nWe experimented with different IP addresses and system configurations and narrowed down the input for the MD5 algorithm\r\nto a formula of the first three octets of the user’s IP address. In other words, by inputting IP addresses sharing the same\r\nnetwork prefix, for example 192.168.0.1 and 192.168.0.50, will receive the same MD5 hash from the C\u0026C server.\r\nHowever, an unknown combination of characters, or a salt, is included with the string of first three IP octets before hashing\r\nto prevent the hashes from being trivially brute-forced. Therefore, we needed to brute-force the salt to secure the input\r\nformula and only then generate hashes using the entire range of IPv4 addresses to find the matching 74 hashes.\r\nSometimes the stars do align, and we figured out that the salt was 1qaz0okm!@#. With all pieces of the MD5 input formula\r\n(for example, 192.168.1.1qaz0okm!@#), we brute-forced the 74 hashes with ease and generated a list of targets. See the\r\nAppendix for a complete list.\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 5 of 26\n\nAs shown in Figure 9, the majority of targeted IP address ranges are in India, followed by Taiwan, Australia, the United\r\nStates, and Hong Kong. Note that most of the Tibetan diaspora lives in India.\r\nFigure 9. Geolocation of targeted IP address ranges\r\nWindows payload\r\nOn Windows, victims of the attack are served with a malicious executable located at\r\nhttps://update.devicebug[.]com/fixTools/certificate.exe. Figure 10 shows the execution chain that follows when the user\r\ndownloads and executes the malicious fix.\r\nFigure 10. Loading chain of certificate.exe\r\ncertificate.exe is a dropper that deploys a side-loading chain to load an intermediate downloader, memmgrset.dll (internally\r\nnamed http_dy.dll). This DLL fetches a JSON file from the C\u0026C server at\r\nhttps://update.devicebug[.]com/assets_files/config.json, which contains the information to download the next stage (see\r\nFigure 11).\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 6 of 26\n\nFigure 11. Content of config.json\r\nWhen the next stage is downloaded and executed, it deploys another side-loading chain to deliver Nightdoor as the final\r\npayload. An analysis of Nightdoor is provided below in the Nightdoor section.\r\nmacOS payload\r\nThe macOS malware is the same downloader that we document in more detail in Supply-chain compromise. However, this\r\none drops an additional Mach-O executable, which listens on TCP port 63403. Its only purpose is to reply with\r\nhandleCallback({\"success\":true }) to the malicious JavaScript code request, so if the user visits the watering-hole website\r\nagain, the JavaScript code will not attempt to re-compromise the visitor.\r\nThis downloader obtains the JSON file from the server and downloads the next stage, just like the Windows version\r\npreviously described.\r\nSupply-chain compromise\r\nOn January 18th, we discovered that the official website (Figure 12) of a Tibetan language translation software product for\r\nmultiple platforms was hosting ZIP packages containing trojanized installers for legitimate software that deployed malicious\r\ndownloaders for Windows and macOS.\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 7 of 26\n\nFigure 12. Windows and macOS applications are backdoored versions, hosted on the legitimate website’s\r\ndownload page\r\nWe found one victim from Japan who downloaded one of the packages for Windows. Table 1 lists the URLs and the dropped\r\nimplants.\r\nTable 1. URLs of the malicious packages on the compromised website and payload type in the compromised application\r\nMalicious package URL Payload type\r\nhttps://www.monlamit[.]com/monlam-app-store/monlam-bodyig3.zip\r\nWin32\r\ndownloader\r\nhttps://www.monlamit[.]com/monlam-app-store/Monlam_Grand_Tibetan_Dictionary_2018.zip\r\nWin32\r\ndownloader\r\nhttps://www.monlamit[.]com/monlam-app-store/Deutsch-Tibetisches_W%C3%B6rterbuch_Installer_Windows.zipWin32\r\ndownloader\r\nhttps://www.monlamit[.]com/monlam-app-store/monlam-bodyig-mac-os.zip\r\nmacOS\r\ndownloader\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 8 of 26\n\nMalicious package URL Payload type\r\nhttps://www.monlamit[.]com/monlam-app-store/Monlam-Grand-Tibetan-Dictionary-for-mac-OS-X.zipmacOS\r\ndownloader\r\nWindows packages\r\nFigure 13 illustrates the loading chain of the trojanized application from the package monlam-bodyig3.zip.\r\nFigure 13. Loading chain of the malicious components\r\nThe trojanized application contains a malicious dropper called autorun.exe that deploys two components:\r\nan executable file named MonlamUpdate.exe, which is a software component from an emulator called C64 Forever\r\nand is abused for DLL side-loading, and\r\nRPHost.dll, the side-loaded DLL, which is a malicious downloader for the next stage.\r\nWhen the downloader DLL is loaded in memory, it creates a scheduled task named Demovale intended to be executed every\r\ntime a user logs on. However, since the task does not specify a file to execute, it fails to establish persistence.\r\nNext, this DLL gets a UUID and the operating system version to create a custom User-Agent and sends a GET request to\r\nhttps://www.monlamit[.]com/sites/default/files/softwares/updateFiles/Monlam_Grand_Tibetan_Dictionary_2018/UpdateInfo.dat\r\nto obtain a JSON file containing the URL to download and execute a payload that it drops to the %TEMP% directory. We\r\nwere unable to obtain a sample of the JSON object data from the compromised website; therefore we don’t know from\r\nwhere exactly default_ico.exe is downloaded, as illustrated in Figure 13.\r\nVia ESET telemetry, we noticed that the illegitimate MonlamUpdate.exe process downloaded and executed on different\r\noccasions at least four malicious files to %TEMP%\\default_ico.exe. Table 2 lists those files and their purpose.\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 9 of 26\n\nTable 2. Hash of the default_ico.exe downloader/dropper, contacted C\u0026C URL, and description of the downloader\r\nSHA-1 Contacted URL Purpose\r\n1C7DF9B0023FB97000B7\r\n1C7917556036A48657C5 https://tibetpost[.]net/templates/\r\nprotostar/html/layouts/joomla/\r\nsystem/default_fields.php\r\nDownloads an unknown payload from the\r\nserver.\r\nF0F8F60429E3316C463F\r\n397E8E29E1CB2D925FC2\r\nDownloads an unknown payload from the\r\nserver. This sample was written in Rust.\r\n7A3FC280F79578414D71\r\nD70609FBDB49EC6AD648\r\nhttp://188.208.141[.]204:5040/\r\na62b94e4dcd54243bf75802f0cbd71f3.exe\r\nDownloads a randomly named Nightdoor\r\ndropper.\r\nBFA2136336D845184436\r\n530CDB406E3822E83EEB\r\nN/A\r\nOpen-source tool SystemInfo, into which\r\nthe attackers integrated their malicious\r\ncode and embedded an encrypted blob\r\nthat, once decrypted and executed, installs\r\nMgBot.\r\nFinally, the default_ico.exe downloader or dropper will either obtain the payload from the server or drop it, then execute it\r\non the victim machine, installing either Nightdoor (see the Nightdoor section) or MgBot (see our previous analysis).\r\nThe two remaining trojanized packages are very similar, deploying the same malicious downloader DLL side-loaded by the\r\nlegitimate executable.\r\nmacOS packages\r\nThe ZIP archive downloaded from the official app store contains a modified installer package (.pkg file), where a Mach-O\r\nexecutable and a post-installation script were added. The post-installation script copies the Mach-O file to\r\n$HOME/Library/Containers/CalendarFocusEXT/ and proceeds to install a Launch Agent in\r\n$HOME/Library/LaunchAgents/com.Terminal.us.plist for persistence. Figure 14 shows the script responsible for installing\r\nand launching the malicious Launch Agent.\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 10 of 26\n\nFigure 14. Post-installation script for installing and launching the malicious Launch Agent\r\nThe malicious Mach-O, Monlam-bodyig_Keyboard_2017 in Figure 13 is signed, but not notarized, using a developer\r\ncertificate (not a certificate type usually used for distribution) with the name and team identifier ya ni yang (2289F6V4BN).\r\nThe timestamp in the signature shows that it was signed January 7th, 2024. This date is also used in the modified timestamp\r\nof the malicious files in the metadata of the ZIP archive. The certificate was issued only three days before. The full\r\ncertificate is available in the IoCs section. Our team reached out to Apple on January 25th and the certificate was revoked the\r\nsame day.\r\nThis first-stage malware downloads a JSON file that contains the URL to the next stage. The architecture (ARM or Intel),\r\nmacOS version, and hardware UUID (an identifier unique to each Mac) are reported in the User-Agent HTTP request\r\nheader. The same URL as the Windows version is used to retrieve that configuration:\r\nhttps://www.monlamit[.]com/sites/default/files/softwares/updateFiles/Monlam_Grand_Tibetan_Dictionary_2018/UpdateInfo.dat.\r\nHowever, the macOS version will look at the data under the mac key of the JSON object instead of the win key.\r\nThe object under the mac key should contain the following:\r\nurl: The URL to the next stage.\r\nmd5: MD5 sum of the payload.\r\nvernow: A list of hardware UUIDs. If present, the payload will only be installed on Macs that have one of the listed\r\nhardware UUIDs. This check is skipped if the list is empty or missing.\r\nversion: A numerical value that must be higher than the previously downloaded second stage “version”. The payload\r\nis not downloaded otherwise. The value of the currently running version is kept in the application user defaults.\r\nAfter the malware downloads the file from the specified URL using curl, the file is hashed using MD5 and compared to the\r\nhexadecimal digest under the md5 key. If it matches, its extended attributes are removed (to clear the com.apple.quarantine\r\nattribute), the file is moved to $HOME/Library/SafariBrowser/Safari.app/Contents/MacOS/SafariBrower, and is launched\r\nusing execvp with the argument run.\r\nUnlike the Windows version, we could not find any of the later stages of the macOS variant. One JSON configuration\r\ncontained an MD5 hash (3C5739C25A9B85E82E0969EE94062F40), but the URL field was empty.\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 11 of 26\n\nNightdoor\r\nThe backdoor that we have named Nightdoor (and is named NetMM by the malware authors according to PDB paths) is a\r\nlate addition to Evasive Panda’s toolset. Our earliest knowledge of Nightdoor goes back to 2020, when Evasive Panda\r\ndeployed it onto a machine of a high-profile target in Vietnam. The backdoor communicates with its C\u0026C server via UDP or\r\nthe Google Drive API. The Nightdoor implant from this campaign used the latter. It encrypts a Google API OAuth 2.0 token\r\nwithin the data section and uses the token to access the attacker’s Google Drive. We have requested that the Google account\r\nassociated with this token be taken down.\r\nFirst, Nightdoor creates a folder in Google Drive containing the victim’s MAC address, which also acts as a victim ID. This\r\nfolder will contain all the messages between the implant and the C\u0026C server. Each message between Nightdoor and the\r\nC\u0026C server is structured as a file and separated into filename and file data, as depicted in Figure 15.\r\nFigure 15. The conversation messages between the implant and the C\u0026C from the victim’s folder in the\r\nattacker’s Google Drive\r\nEach filename contains eight main attributes, which is demonstrated in the example below.\r\nExample:\r\n1_2_0C64C2BAEF534C8E9058797BCD783DE5_168_0_1_4116_0_00-00-00-00-00-00\r\n1_2: magic value.\r\n0C64C2BAEF534C8E9058797BCD783DE5: header of pbuf data structure.\r\n168: size of the message object or file size in bytes.\r\n0: filename, which is always the default of 0 (null).\r\n1: command type, hardcoded to 1 or 0 depending on the sample.\r\n4116: command ID.\r\n0: quality of service (QoS).\r\n00-00-00-00-00-00: meant to be MAC address of the destination but always defaults to 00-00-00-00-00-00.\r\nThe data inside each file represents the controller’s command for the backdoor and the necessary parameters to execute it.\r\nFigure 16 shows an example of a C\u0026C server message stored as file data.\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 12 of 26\n\nFigure 16. Message from the C\u0026C server\r\nBy reverse engineering Nightdoor, we were able to understand the meaning of the important fields presented in the file, as\r\nshown in Figure 17.\r\nFigure 17. Nightdoor command file format\r\nWe found that many meaningful changes were added to the Nightdoor version used in this campaign, one of them being the\r\norganization of command IDs. In previous versions, each command ID was assigned to a handler function one by one, as\r\nshown in Figure 18. The numbering choices, such as from 0x2001 to 0x2006, from 0x2201 to 0x2203, from 0x4001 to\r\n0x4003, and from 0x7001 to 0x7005, suggested that commands were divided into groups with similar functionalities.\r\nFigure 18. Nightdoor’s old method of assigning command IDs to handling functions\r\nHowever, in this version, Nightdoor uses a branch table to organize all the command IDs with their corresponding handlers.\r\nThe command IDs are continuous throughout and act as indexes to their corresponding handlers in the branch table, as\r\nshown in Figure 19.\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 13 of 26\n\nFigure 19. Nightdoor’s switch statement and the branch table\r\nTable 3 is a preview of the C\u0026C server commands and their functionalities. This table contains the new command IDs as\r\nwell as the equivalent IDs from older versions.\r\nTable 3. Commands supported by the Nightdoor variants used in this campaign.\r\nCommand ID\r\nPrevious\r\ncommand ID\r\nDescription\r\n0x1001 0x2001\r\nCollect basic system profile information such as:\r\n- OS version\r\n- IPv4 network adapters, MAC addresses, and IP addresses\r\n- CPU name\r\n- Computer name\r\n- Username\r\n- Device driver names\r\n- All usernames from C:\\Users\\*\r\n- Local time\r\n- Public IP address using the ifconfig.me or ipinfo.io webservice\r\n0x1007 0x2002\r\nCollect information about disk drives such as:\r\n- Drive name\r\n- Free space and total space\r\n- File system type: NTFS, FAT32, etc.\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 14 of 26\n\nCommand ID\r\nPrevious\r\ncommand ID\r\nDescription\r\n0x1004 0x2003\r\nCollect information on all installed applications under Windows registry\r\nkeys:\r\n- HKLM\\SOFTWARE\\\r\n- WOW6432Node\\Microsoft\\Windows\\\r\nCurrentVersion\\Uninstall (x64)\r\n- Microsoft\\Windows\\CurrentVersion\\Uninstall (x86)\r\n0x1003 0x2004\r\nCollect information on running processes, such as:\r\n- Process name\r\n- Number of threads\r\n- Username\r\n- File location on disk\r\n- Description of file on disk\r\n0x1006\r\n0x4001\r\n0x4002 Create a reverse shell and manage input and output via anonymous pipes.\r\n0x4003\r\n0x1002 N/A Self-uninstall.\r\n0x100C 0x6001 Move file. The path is provided by the C\u0026C server.\r\n0x100B 0x6002 Delete file. The path is provided by the C\u0026C server.\r\n0x1016 0x6101 Get file attributes. The path is provided by the C\u0026C server.\r\nConclusion\r\nWe have analyzed a campaign by the China-aligned APT Evasive Panda that targeted Tibetans in several countries and\r\nterritories. We believe that the attackers capitalized, at the time, on the upcoming Monlam festival in January and February\r\nof 2024 to compromise users when they visited the festival’s website-turned-watering-hole. In addition, the attackers\r\ncompromised the supply chain of a software developer of Tibetan language translation apps.\r\nThe attackers fielded several downloaders, droppers, and backdoors, including MgBot – which is used exclusively by\r\nEvasive Panda – and Nightdoor: the latest major addition to the group’s toolkit and which has been used to target several\r\nnetworks in East Asia.\r\nA comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub repository.\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 15 of 26\n\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 Filename Detection Description\r\n0A88C3B4709287F70CA2\r\n549A29353A804681CA78\r\nautorun.exe Win32/Agent.AGFU\r\nDropper component\r\nofficial installer pac\r\n1C7DF9B0023FB97000B7\r\n1C7917556036A48657C5\r\ndefault_ico.exe Win32/Agent.AGFN Intermediate downlo\r\nF0F8F60429E3316C463F\r\n397E8E29E1CB2D925FC2\r\ndefault_ico.exe Win64/Agent.DLY\r\nIntermediate downlo\r\nprogrammed in Rus\r\n7A3FC280F79578414D71\r\nD70609FBDB49EC6AD648\r\ndefault_ico.exe Win32/Agent.AGFQ Nightdoor download\r\n70B743E60F952A1238A4\r\n69F529E89B0EB71B5EF7\r\nUjGnsPwFaEtl.exe Win32/Agent.AGFS Nightdoor dropper.\r\nFA44028115912C95B5EF\r\nB43218F3C7237D5C349F\r\nRPHost.dll Win32/Agent.AGFM Intermediate loader.\r\n5273B45C5EABE64EDBD0\r\nB79F5D1B31E2E8582324\r\ncertificate.pkg OSX/Agent.DJ MacOS dropper com\r\n5E5274C7D931C1165AA5\r\n92CDC3BFCEB4649F1FF7\r\ncertificate.exe Win32/Agent.AGES\r\nDropper component\r\ncompromised websi\r\n59AA9BE378371183ED41\r\n9A0B24C019CCF3DA97EC\r\ndefault_ico_1.exe Win32/Agent.AGFO Nightdoor dropper c\r\n8591A7EE00FB1BB7CC5B\r\n0417479681290A51996E\r\nmemmgrset.dll Win32/Agent.AGGH\r\nIntermediate loader\r\ndownloader compon\r\n82B99AD976429D0A6C54\r\n5B64C520BE4880E1E4B8\r\npidgin.dll Win32/Agent.AGGI Intermediate loader\r\n3EEE78EDE82F6319D094\r\n787F45AFD9BFB600E971 Monlam_Grand_Tibetan_Dictionary_2018.zip Win32/Agent.AGFM Trojanized installer.\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 16 of 26\n\nSHA-1 Filename Detection Description\r\n2A96338BACCE3BB687BD\r\nC274DAAD120F32668CF4\r\njquery.js JS/TrojanDownloader.Agent.AAPA\r\nMalicious JavaScrip\r\ncompromised websi\r\n8A389AFE1F85F83E340C\r\nA9DFC0005D904799D44C\r\nMonlam Bodyig 3.1.exe Win32/Agent.AGFU Trojanized installer.\r\n944B69B5E225C7712604\r\nEFC289E153210124505C\r\ndeutsch-tibetisches_w__rterbuch_installer_windows.zip MSIL/Agent.WSK Trojanized installer\r\nA942099338C946FC196C\r\n62E87942217BF07FC5B3\r\nmonlam-bodyig3.zip Win32/Agent.AGFU Trojanized installer\r\n52FE3FD399ED15077106\r\nBAE9EA475052FC8B4ACC\r\nMonlam-Grand-Tibetan-Dictionary-for-mac-OS-X.zip\r\nOSX/Agent.DJ MacOS trojanized in\r\npackage.\r\n57FD698CCB5CB4F90C01\r\n4EFC6754599E5B0FBE54\r\nmonlam-bodyig-mac-os.zip OSX/Agent.DJ MacOS trojanized in\r\npackage.\r\nC0575AF04850EB1911B0\r\n00BF56E8D5E9362A61E4\r\nSecurity~.x64 OSX/Agent.DJ MacOS downloader\r\n7C3FD8EE5D660BBF43E4\r\n23818C6A8C3231B03817\r\nSecurity~.arm64 OSX/Agent.DJ MacOS downloader\r\nFA78E89AB95A0B49BC06\r\n63F7AB33AAF1A924C560\r\nSecurity.fat OSX/Agent.DJ MacOS downloader\r\n5748E11C87AEAB3C19D1\r\n3DB899D3E2008BE928AD Monlam_Grand_Dictionary export file OSX/Agent.DJ\r\nMalicious compone\r\ntrojanized installer p\r\nCertificates\r\nSerial number 49:43:74:D8:55:3C:A9:06:F5:76:74:E2:4A:13:E9:33\r\nThumbprint 77DBCDFACE92513590B7C3A407BE2717C19094E0\r\nSubject CN Apple Development: ya ni yang (2289F6V4BN)\r\nSubject O ya ni yang\r\nSubject L N/A\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 17 of 26\n\nSubject S N/A\r\nSubject C US\r\nValid from 2024-01-04 05:26:45\r\nValid to 2025-01-03 05:26:44\r\nSerial number 6014B56E4FFF35DC4C948452B77C9AA9\r\nThumbprint D4938CB5C031EC7F04D73D4E75F5DB5C8A5C04CE\r\nSubject CN KP MOBILE\r\nSubject O KP MOBILE\r\nSubject L N/A\r\nSubject S N/A\r\nSubject C KR\r\nValid from 2021-10-25 00:00:00\r\nValid to 2022-10-25 23:59:59\r\nIP Domain Hosting provider First seen Details\r\nN/A tibetpost[.]net N/A\r\n2023-11-\r\n29\r\nCompromised website.\r\nN/A www.monlamit[.]com N/A\r\n2024-01-\r\n24\r\nCompromised website.\r\nN/A update.devicebug[.]com N/A\r\n2024-01-\r\n14\r\nC\u0026C.\r\n188.208.141[.]204 N/A Amol Hingade\r\n2024-02-\r\n01\r\nDownload server for Nightdoor\r\ndropper component.\r\nMITRE ATT\u0026CK techniques\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 18 of 26\n\nThis table was built using version 14 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.004 Acquire Infrastructure: Server\r\nEvasive Panda acquired servers for the C\u0026C\r\ninfrastructure of Nightdoor, MgBot, and the\r\nmacOS downloader component.\r\nT1583.006\r\nAcquire Infrastructure: Web\r\nServices\r\nEvasive Panda used Google Drive’s web service\r\nfor Nightdoor’s C\u0026C infrastructure.\r\nT1584.004\r\nCompromise Infrastructure:\r\nServer\r\nEvasive Panda operators compromised several\r\nservers to use as watering holes, for a supply-chain attack, and to host payloads and use as\r\nC\u0026C servers.\r\nT1585.003\r\nEstablish Accounts: Cloud\r\nAccounts\r\nEvasive Panda created a Google Drive account\r\nand used it as C\u0026C infrastructure.\r\nT1587.001 Develop Capabilities: Malware\r\nEvasive Panda deployed custom implants such as\r\nMgBot, Nightdoor, and a macOS downloader\r\ncomponent.\r\nT1588.003\r\nObtain Capabilities: Code\r\nSigning Certificates\r\nEvasive Panda obtained code-signing certificates.\r\nT1608.004\r\nStage Capabilities: Drive-by\r\nTarget\r\nEvasive Panda operators modified a high-profile\r\nwebsite to add a piece of JavaScript code that\r\nrenders a fake notification to download malware.\r\nInitial Access\r\nT1189 Drive-by Compromise\r\nVisitors to compromised websites may receive a\r\nfake error message enticing them to download\r\nmalware.\r\nT1195.002\r\nSupply Chain Compromise:\r\nCompromise Software Supply\r\nChain\r\nEvasive Panda trojanized official installer\r\npackages from a software company.\r\nExecution\r\nT1106 Native API\r\nNightdoor, MgBot, and their intermediate\r\ndownloader components use Windows APIs to\r\ncreate processes.\r\nT1053.005\r\nScheduled Task/Job: Scheduled\r\nTask\r\nNightdoor and MgBot’s loader components can\r\ncreate scheduled tasks.\r\nPersistence\r\nT1543.003\r\nCreate or Modify System\r\nProcess: Windows Service\r\nNightdoor and MgBot’s loader components can\r\ncreate Windows services.\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 19 of 26\n\nTactic ID Name Description\r\nT1574.002\r\nHijack Execution Flow: DLL\r\nSide-Loading\r\nNightdoor and MgBot’s dropper components\r\ndeploy a legitimate executable file that side-loads\r\na malicious loader.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nDLL components of the Nightdoor implant are\r\ndecrypted in memory.\r\nT1562.004\r\nImpair Defenses: Disable or\r\nModify System Firewall\r\nNightdoor adds two Windows Firewall rules to\r\nallow inbound and outbound communication for\r\nits HTTP proxy server functionality.\r\nT1070.004\r\nIndicator Removal: File\r\nDeletion\r\nNightdoor and MgBot can delete files.\r\nT1070.009\r\nIndicator Removal: Clear\r\nPersistence\r\nNightdoor and MgBot can uninstall themselves.\r\nT1036.004 Masquerading: Masquerade\r\nTask or Service\r\nNightdoor’s loader disguised its task as netsvcs.\r\nT1036.005 Masquerading: Match\r\nLegitimate Name or Location\r\nNightdoor’s installer deploys its components into\r\nlegitimate system directories.\r\nT1027.009\r\nObfuscated Files or\r\nInformation: Embedded\r\nPayloads\r\nNightdoor’s dropper component contains\r\nembedded malicious files that are deployed on\r\ndisk.\r\nT1055.001\r\nProcess Injection: Dynamic-link Library InjectionNightdoor and MgBot’s loaders components\r\ninject themselves into svchost.exe.\r\nT1620 Reflective Code Loading\r\nNightdoor and MgBot’s loader components inject\r\nthemselves into svchost.exe, from where they\r\nload the Nightdoor or MgBot backdoor.\r\nDiscovery T1087.001Account Discovery: Local\r\nAccount\r\nNightdoor and MgBot collect user account\r\ninformation from the compromised system.\r\nT1083 File and Directory Discovery\r\nNightdoor and MgBot can collect information\r\nfrom directories and files.\r\nT1057 Process Discovery\r\nNightdoor and MgBot collect information about\r\nprocesses.\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 20 of 26\n\nTactic ID Name Description\r\nT1012 Query Registry\r\nNightdoor and MgBot query the Windows\r\nregistry to find information about installed\r\nsoftware.\r\nT1518 Software Discovery\r\nNightdoor and MgBot collect information about\r\ninstalled software and services.\r\nT1033 System Owner/User Discovery\r\nNightdoor and MgBot collect user account\r\ninformation from the compromised system.\r\nT1082 System Information Discovery\r\nNightdoor and MgBot collect a wide range of\r\ninformation about the compromised system.\r\nT1049\r\nSystem Network Connections\r\nDiscovery\r\nNightdoor and MgBot can collect data from all\r\nactive TCP and UDP connections on the\r\ncompromised machine.\r\nCollection\r\nT1560 Archive Collected Data\r\nNightdoor and MgBot store collected data in\r\nencrypted files.\r\nT1119 Automated Collection\r\nNightdoor and MgBot automatically collect\r\nsystem and network information about the\r\ncompromised machine.\r\nT1005 Data from Local System\r\nNightdoor and MgBot collect information about\r\nthe operating system and user data.\r\nT1074.001\r\nData Staged: Local Data\r\nStaging\r\nNightdoor stages data for exfiltration in files on\r\ndisk.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nNightdoor communicates with the C\u0026C server\r\nusing HTTP.\r\nT1095\r\nNon-Application Layer\r\nProtocol\r\nNightdoor communicates with the C\u0026C server\r\nusing UDP. MgBot communicates with the C\u0026C\r\nserver using TCP.\r\nT1571 Non-Standard Port MgBot uses TCP port 21010.\r\nT1572 Protocol Tunneling\r\nNightdoor can act as an HTTP proxy server,\r\ntunneling TCP communication.\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 21 of 26\n\nTactic ID Name Description\r\nT1102 Web Service\r\nNightdoor uses Google Drive for C\u0026C\r\ncommunication.\r\nExfiltration\r\nT1020 Automated Exfiltration\r\nNightdoor and MgBot automatically exfiltrate\r\ncollected data.\r\nT1567.002\r\nExfiltration Over Web Service:\r\nExfiltration to Cloud Storage\r\nNightdoor can exfiltrate its files to Google Drive.\r\nAppendix\r\nThe targeted IP address ranges are provided in the following table.\r\nCIDR ISP City Country\r\n124.171.71.0/24 iiNet Sydney Australia\r\n125.209.157.0/24 iiNet Sydney Australia\r\n1.145.30.0/24 Telstra Sydney Australia\r\n193.119.100.0/24 TPG Telecom Sydney Australia\r\n14.202.220.0/24 TPG Telecom Sydney Australia\r\n123.243.114.0/24 TPG Telecom Sydney Australia\r\n45.113.1.0/24 HK 92server Technology Hong Kong Hong Kong\r\n172.70.191.0/24 Cloudflare Ahmedabad India\r\n49.36.224.0/24 Reliance Jio Infocomm Airoli India\r\n106.196.24.0/24 Bharti Airtel Bengaluru India\r\n106.196.25.0/24 Bharti Airtel Bengaluru India\r\n14.98.12.0/24 Tata Teleservices Bengaluru India\r\n172.70.237.0/24 Cloudflare Chandīgarh India\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 22 of 26\n\nCIDR ISP City Country\r\n117.207.51.0/24 Bharat Sanchar Nigam Limited Dalhousie India\r\n103.214.118.0/24 Airnet Boardband Delhi India\r\n45.120.162.0/24 Ani Boardband Delhi India\r\n103.198.173.0/24 Anonet Delhi India\r\n103.248.94.0/24 Anonet Delhi India\r\n103.198.174.0/24 Anonet Delhi India\r\n43.247.41.0/24 Anonet Delhi India\r\n122.162.147.0/24 Bharti Airtel Delhi India\r\n103.212.145.0/24 Excitel Delhi India\r\n45.248.28.0/24 Omkar Electronics Delhi India\r\n49.36.185.0/24 Reliance Jio Infocomm Delhi India\r\n59.89.176.0/24 Bharat Sanchar Nigam Limited Dharamsala India\r\n117.207.57.0/24 Bharat Sanchar Nigam Limited Dharamsala India\r\n103.210.33.0/24 Vayudoot Dharamsala India\r\n182.64.251.0/24 Bharti Airtel Gāndarbal India\r\n117.255.45.0/24 Bharat Sanchar Nigam Limited Haliyal India\r\n117.239.1.0/24 Bharat Sanchar Nigam Limited Hamīrpur India\r\n59.89.161.0/24 Bharat Sanchar Nigam Limited Jaipur India\r\n27.60.20.0/24 Bharti Airtel Lucknow India\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 23 of 26\n\nCIDR ISP City Country\r\n223.189.252.0/24 Bharti Airtel Lucknow India\r\n223.188.237.0/24 Bharti Airtel Meerut India\r\n162.158.235.0/24 Cloudflare Mumbai India\r\n162.158.48.0/24 Cloudflare Mumbai India\r\n162.158.191.0/24 Cloudflare Mumbai India\r\n162.158.227.0/24 Cloudflare Mumbai India\r\n172.69.87.0/24 Cloudflare Mumbai India\r\n172.70.219.0/24 Cloudflare Mumbai India\r\n172.71.198.0/24 Cloudflare Mumbai India\r\n172.68.39.0/24 Cloudflare New Delhi India\r\n59.89.177.0/24 Bharat Sanchar Nigam Limited Pālampur India\r\n103.195.253.0/24 Protoact Digital Network Ranchi India\r\n169.149.224.0/24 Reliance Jio Infocomm Shimla India\r\n169.149.226.0/24 Reliance Jio Infocomm Shimla India\r\n169.149.227.0/24 Reliance Jio Infocomm Shimla India\r\n169.149.229.0/24 Reliance Jio Infocomm Shimla India\r\n169.149.231.0/24 Reliance Jio Infocomm Shimla India\r\n117.255.44.0/24 Bharat Sanchar Nigam Limited Sirsi India\r\n122.161.241.0/24 Bharti Airtel Srinagar India\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 24 of 26\n\nCIDR ISP City Country\r\n122.161.243.0/24 Bharti Airtel Srinagar India\r\n122.161.240.0/24 Bharti Airtel Srinagar India\r\n117.207.48.0/24 Bharat Sanchar Nigam Limited Yol India\r\n175.181.134.0/24 New Century InfoComm Hsinchu Taiwan\r\n36.238.185.0/24 Chunghwa Telecom Kaohsiung Taiwan\r\n36.237.104.0/24 Chunghwa Telecom Tainan Taiwan\r\n36.237.128.0/24 Chunghwa Telecom Tainan Taiwan\r\n36.237.189.0/24 Chunghwa Telecom Tainan Taiwan\r\n42.78.14.0/24 Chunghwa Telecom Tainan Taiwan\r\n61.216.48.0/24 Chunghwa Telecom Tainan Taiwan\r\n36.230.119.0/24 Chunghwa Telecom Taipei Taiwan\r\n114.43.219.0/24 Chunghwa Telecom Taipei Taiwan\r\n114.44.214.0/24 Chunghwa Telecom Taipei Taiwan\r\n114.45.2.0/24 Chunghwa Telecom Taipei Taiwan\r\n118.163.73.0/24 Chunghwa Telecom Taipei Taiwan\r\n118.167.21.0/24 Chunghwa Telecom Taipei Taiwan\r\n220.129.70.0/24 Chunghwa Telecom Taipei Taiwan\r\n106.64.121.0/24 Far EasTone Telecommunications Taoyuan City Taiwan\r\n1.169.65.0/24 Chunghwa Telecom Xizhi Taiwan\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 25 of 26\n\nCIDR ISP City Country\r\n122.100.113.0/24 Taiwan Mobile Yilan Taiwan\r\n185.93.229.0/24 Sucuri Security Ashburn United States\r\n128.61.64.0/24 Georgia Institute of Technology Atlanta United States\r\n216.66.111.0/24 Vermont Telephone Wallingford United States\r\nSource: https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nhttps://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "references": [ "https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/" ], "report_names": [ "evasive-panda-leverages-monlam-festival-target-tibetans" ], "threat_actors": [ { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434369, "ts_updated_at": 1775792160, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/45c31eaf4df2dd5ba362f2b24a06579e0146a4eb.pdf", "text": "https://archive.orkl.eu/45c31eaf4df2dd5ba362f2b24a06579e0146a4eb.txt", "img": "https://archive.orkl.eu/45c31eaf4df2dd5ba362f2b24a06579e0146a4eb.jpg" } }