{ "id": "705da3a1-a209-47b6-8899-39ce7a8cdaf4", "created_at": "2026-04-06T00:17:51.946009Z", "updated_at": "2026-04-10T13:13:09.753222Z", "deleted_at": null, "sha1_hash": "fadb2d02c0d1ffcc9a87048700de5b1896869137", "title": "CloudScout: Evasive Panda scouting cloud services", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 966922, "plain_text": "CloudScout: Evasive Panda scouting cloud services\r\nBy Anh Ho\r\nArchived: 2026-04-05 19:24:19 UTC\r\nIn this blogpost, we provide a technical analysis of CloudScout, a post-compromise toolset used by Evasive Panda\r\nto target a government entity and a religious organization in Taiwan from 2022 to 2023. The CloudScout toolset is\r\ncapable of retrieving data from various cloud services by leveraging stolen web session cookies. Through a plugin,\r\nCloudScout works seamlessly with MgBot, Evasive Panda’s signature malware framework.\r\nKey points of this blogpost:\r\nThe CloudScout toolset was detected in Taiwan, between 2022 and 2023, in the network of a\r\nreligious institution and at a government entity.\r\nCloudScout utilizes stolen cookies, provided by MgBot plugins, to access and exfiltrate data\r\nstored at various cloud services.\r\nWe analyzed three CloudScout modules, which aim to steal data from Google Drive, Gmail, and\r\nOutlook. We believe that at least seven additional modules exist.\r\nHardcoded fields in CloudScout’s web requests for stealing Outlook email messages suggest that\r\nthe samples involved were crafted to target Taiwanese users.\r\nEach CloudScout module, programmed in C#, is deployed by an MgBot plugin, programmed in\r\nC++.\r\nEvasive Panda profile\r\nEvasive Panda (also known as BRONZE HIGHLAND, Daggerfly, or StormBamboo) is a China-aligned APT\r\ngroup, operating since at least 2012. Evasive Panda’s objective is cyberespionage against countries and\r\norganizations opposing China’s interests through independence movements such as those in the Tibetan diaspora,\r\nreligious and academic institutions in Taiwan and in Hong Kong, and supporters of democracy in China. At times\r\nwe have also observed its cyberespionage operations extend to countries such as Vietnam, Myanmar, and South\r\nKorea.\r\nEvasive Panda has accumulated an impressive list of attack vectors. We have seen its operators conduct\r\nsophisticated TTPs such as supply-chain and watering-hole attacks, and DNS hijacking; in addition, they have\r\nabused the latest CVEs affecting Microsoft Office, Confluence, and web server applications. The group also\r\ndemonstrates a strong capability for malware development, which is showcased in its deep collection of\r\nmultiplatform backdoors for Windows, macOS, and Android. For Windows, its most-used tools are MgBot (since\r\n2012; a custom malware framework consisting of a main implant and eight currently known plugins as detailed in\r\nour WLS blogpost) and the more recently developed Nightdoor (described in another WLS blogpost; a feature-rich backdoor that utilizes public cloud services for C\u0026C communications).\r\nOverview\r\nhttps://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/\r\nPage 1 of 19\n\nIn early 2023, we detected Evasive Panda deploy three previously unknown .NET modules (internally named\r\nCGD, CGM, and COL) at a government entity in Taiwan. These modules are designed to access public cloud\r\nservices such as Google Drive, Gmail, and Outlook by hijacking authenticated web sessions. This technique relies\r\non stealing cookies from a web browser database, then using them in a specific set of web requests to gain access\r\nto cloud services. Unlike stolen credentials, which may be blocked by security features such as two-factor\r\nauthentication (2FA) and IP tracking, stolen web session cookies allow the attacker to retrieve data stored in the\r\ncloud, right from the victim’s machine. In 2023, Google released the Device Bound Session Credentials (DBSC)\r\nproject on GitHub and, in 2024, the App-Bound Encryption feature in the Chrome 127 update. These are\r\nprotective measures against cookie-theft malware, such as CloudScout, and could potentially render this toolset\r\nobsolete.\r\nFurther code analysis of the three modules reveals an underlying development framework, codenamed\r\nCloudScout by its developers. In this blogpost, we provide a detailed analysis of this modular framework\r\nprogrammed in C#. To the best of our knowledge, the CloudScout toolset has not previously been documented\r\npublicly.\r\nVictimology\r\nAccording to ESET telemetry, CloudScout was observed in two incidents targeting Taiwan:\r\nIn May 2022, the network of a Taiwanese religious institution was compromised with MgBot and\r\nNightdoor. In this incident, MgBot was used to install a plugin that deploys a CloudScout module.\r\nIn February 2023, CloudScout modules and the Nightdoor implant were detected at what we suspect is a\r\nTaiwanese government entity.\r\nFurthermore, we found in some hardcoded HTTP requests the inclusion of Taipei Standard Time as the time zone\r\nand zh-CN as the language pack (as shown in Figure 1). Both suggest that these samples were crafted to target\r\nTaiwanese users.\r\nhttps://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/\r\nPage 2 of 19\n\nFigure 1. HTTP request from COL to Outlook Web Access\r\nTechnical analysis\r\nCloudScout is a .NET malware framework consisting of multiple modules targeting different cloud services. The\r\nname CloudScout originated from the PDB paths of the modules obtained:\r\nE:\\project\\git_new\\MProjects\\Code\\CloudScout\\GoogleDriver\\CGD\\obj\\Debug\\CGD.pdb\r\nE:\\project\\git_new\\MProjects\\Code\\CloudScout\\Gmail\\CGM\\obj\\Debug\\CGM.pdb\r\nE:\\project\\git_new\\MProjects\\Code\\CloudScout\\Outlook\\COL\\obj\\Debug\\COL.pdb\r\nWe also found mention of seven other modules in the framework (see the section CommonUtilities: The heart of\r\nCloudScout); at the time of writing, we have not yet observed them deployed on compromised machines, hinting\r\nthat the attackers deploy them selectively. Altogether, the complete list of CloudScout modules is:\r\nCGD\r\nCGM\r\nCOL\r\nCTW\r\nCFB\r\nGMQ\r\nMEXC\r\nCEXC\r\nCZI\r\nhttps://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/\r\nPage 3 of 19\n\nCNE\r\nBased on the naming convention (e.g., the module targeting Google Drive is called CGD, the one targeting Gmail\r\nCGM, and the one targeting Outlook COL), we infer that CTW and CFB possibly target Twitter and Facebook.\r\nHowever, the purpose of other modules remains undetermined.\r\nDevelopment timing\r\nThe AssemblyCopyright field’s value, Copyright ©  2020, in the .NET manifest of CloudScout modules, as seen\r\nin Figure 2, suggests that the CloudScout toolset might have been developed around 2020. Even though the\r\nlegitimacy of the .NET manifest is questionable, it is consistent across all the samples that we found. In addition,\r\ndifferent versions stated in the AssemblyVersion of CGD and CGM reflect the changes added to their code base.\r\nFigure 2. Manifest of CGD module\r\nWe also found different versions of the embedded internal custom-made library package CommonUtilities. Table\r\n1 shows different versions of CGD, CGM, and COL containing different versions of CommonUtilities.\r\nTable 1. Versions of CloudScout modules\r\nModule Version SHA-1\r\nCommonUtilities\r\nversion\r\nCGD\r\n1.0.11 67028AEB095189FDF18B2D7B775B62366EF224A9 1.0.08\r\n1.0.14 B3556D1052BF5432D39A6068CCF00D8C318AF146 1.0.10\r\n1.0.17 84F6B9F13CDCD8D9D15D5820536BC878CD89B3C8 1.0.11\r\nCGM\r\n1.0.11 4A5BCDAAC0BC315EDD00BB1FCCD1322737BCBEEB 1.0.08\r\n1.0.13 C058F9FE91293040C8B0908D3DAFC80F89D2E38B 1.0.10\r\n1.0.14 621E2B50A979D77BA3F271FAB94326CCCBC009B4 1.0.11\r\nCOL 1.0.10 93C1C8AD2AF64D0E4C132F067D369ECBEBAE00B7 1.0.08\r\nAssuming that the .NET manifest is accurate, in 2020 alone, we observed three new toolsets from Evasive Panda.\r\nThe other two instances are the first appearance of Nightdoor and a new UDP variant of MgBot (succeeding the\r\nhttps://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/\r\nPage 4 of 19\n\nUDT variant).\r\nOld dog, new tricks\r\nFrom a common RC4 encryption key shared by the three modules, we performed a retrohunt and discovered that\r\nCGM was deployed by an MgBot plugin called Gmck.dll, which was programmed in C++. The plugin was\r\ndetected in an incident in 2022 where two machines from the aforementioned religious institution in Taiwan were\r\ncompromised by Evasive Panda. In that incident (illustrated in Figure 3), MgBot installed the CGM module,\r\nwhich in turn accessed the victim’s Gmail account to download emails and personal information.\r\nFigure 3. Compromise chain observed in the aforementioned network of a religious institution in\r\nTaiwan\r\nGmck.dll (which we will refer to as Gmck) carries the .NET module CGM within its binary. In order to execute\r\nCGM, Gmck first drops the module to disk at a hardcoded path, then starts the common language runtime (CLR)\r\nusing ICLRMetaHost and ICLRRuntimeHost. Finally, it calls ExecuteInDefaultAppDomain with a reference to\r\nCGM’s entry point function (ModuleStart), as seen in Figure 4.\r\nhttps://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/\r\nPage 5 of 19\n\nFigure 4. Code to load the CGM DLL\r\nAccording to our telemetry, CGD and COL modules are also written to the same staging folder, as shown in Table\r\n2.\r\nTable 2. Paths where CloudScout modules are deployed\r\nMgBot plugin Deployment path CloudScout module\r\nGmck.dll %ProgramData%\\NVIDlA\\gmck\\msvc_4.dll CGM\r\nN/A %ProgramData%\\NVIDlA\\olck\\msvc_4.dll COL\r\nN/A %ProgramData%\\NVIDlA\\dankdh\\msvc_4.dll CGD\r\nThe staging folder NVIDlA is purposely misspelled using a simple homograph: it’s all in uppercase letters except\r\nthat the letter after the D is a lowercase letter el. The subfolders (as highlighted) seem to be named after the\r\nMgBot plugins. Unfortunately, we have been unable to obtain the olck and dankdh plugins.\r\nAfter the CGM module is successfully deployed, the Gmck plugin needs to provide browser cookies to CGM in\r\nthe form of a configuration file. Gmck extracts these cookies from web browser database files listed in Table 3.\r\nWith the release of App-Bound Encryption in Chrome 127 and Edge 128, Gmck is no longer able to decrypt\r\nCookies database files from Chrome and Edge.\r\nTable 3. Database files from which Gmck extracts cookies\r\nTargeted browser Database files\r\nChrome\r\n%localappdata%\\Google\\Chrome\\User Data\\Local State\r\n%localappdata%\\Google\\Chrome\\User Data\\\u003cusername\u003e\\Network\\Cookies\r\nhttps://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/\r\nPage 6 of 19\n\nTargeted browser Database files\r\nEdge\r\n%localappdata%\\Microsoft\\Edge\\User Data\\Local State\r\n%localappdata%\\Microsoft\\Edge\\User Data\\\u003cusername\u003e\\Network\\Cookies\r\nFirefox\r\n%AppData%\\Mozilla\\Firefox\\profiles.ini\r\n%AppData%\\Mozilla\\Firefox\\\u003cprofile_name\u003e\\cookies.sqlite\r\nThe configuration file must have a .dat extension and be RC4 encrypted using the key\r\n0dda5a8d-e4c2-477d-85df-fcb611a62ffe in order to be recognized by CGM. This RC4 key is used by all three\r\nCloudScout modules to decrypt the configuration files, which means the MgBot plugins must also use this key for\r\nencryption.\r\nFigure 5 summarizes the relationship between Gmck and CGM.\r\nFigure 5. Interactions between Gmck and CGM\r\nConfiguration\r\nThe configuration file cm_cke_\u003cyyyyymmdd\u003e_\u003chhmmss\u003e.dat in Figure 5 is provided by the MgBot plugin after\r\nit extracts cookies from a web browser’s database. The CloudScout module obtains a new configuration by\r\ncontinuously monitoring its working directory, looking for files with .dat extensions. For each .dat file that it\r\nfinds, the CloudScout module spawns a new thread to handle the file, which means it can handle multiple\r\nconfiguration files at the same time. The newly spawned thread handles a full collection cycle, from parsing the\r\nhttps://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/\r\nPage 7 of 19\n\nconfiguration to downloading all the targeted data. At the end of the cycle, the configuration file is removed from\r\ndisk to prevent accidentally repeating the same cycle.\r\nThe configuration file is in JSON format. It contains two main data structures: token and config. The token\r\nstructure contains the cookies organized by domain name. And config contains settings for downloading and\r\nstaging the collected data for exfiltration, as well as for keeping the program running or exiting after a successful\r\ncycle (dealone field). An example of a configuration file is included in Figure 6.\r\nFigure 6. An example of a configuration generated by the Gmck plugin for the CGM module\r\nCommonUtilities: The heart of CloudScout\r\nAt the heart of CloudScout is the CommonUtilities package, which provides all necessary low-level libraries for\r\nthe modules to run, as illustrated in Figure 7. This package is stored in the resources section of CloudScout\r\nmodules and is loaded at the beginning of the ModuleStart function.\r\nhttps://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/\r\nPage 8 of 19\n\nFigure 7. Overview of the design of CommonUtilities\r\nAs seen in Figure 8, the .NET manifest of CommonUtilities reveals all of its client modules.\r\nFigure 8. Manifest of CommonUtilities\r\nCommonUtilities contains quite a few custom-implemented libraries despite the abundant availability of similar\r\nopen-source libraries online. These custom libraries give the developers more flexibility and control over the inner\r\nhttps://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/\r\nPage 9 of 19\n\nworkings of their implant, compared to open-source alternatives. They also manifest certain unpredictable\r\nbehaviors that forced us to dig deep into the code to understand. Examples of these custom libraries are\r\nHTTPAccess and ManagedCookie.\r\nHTTPAccess provides necessary functions to handle all the HTTP communications of CloudScout modules. It has\r\nthe capability of modifying HTTP headers, as shown in Figure 9.\r\nFigure 9. Code in HTTPAccess to modify HTTP headers\r\nAs highlighted in this code snippet, the this.mngCk object, an instance of the ManagedCookie class, is used to\r\nintegrate cookies into the crafted HTTP headers. As the name suggests, ManagedCookie provides functions to\r\nmanage cookies for web requests between CloudScout and targeted cloud services. What makes this class special\r\nis its comprehensive list of cookie parsers capable of turning most cookies into default .NET cookie objects.\r\nFigure 10 shows the different regexes created to match various combinations of attribute-value pairs in cookies.\r\nhttps://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/\r\nPage 10 of 19\n\nFigure 10. Different regexes to handle various combinations of attribute-value pairs in cookies\r\nThe frame of CloudScout\r\nAll CloudScout modules share a uniform architecture, as shown in Figure 11. The core functionality of the module\r\nis in the Cloud namespace, which is nearly identical in each module. The implementation only diverges in\r\nfunctions related to authentication and data retrieval, where each module needs to generate specific web requests\r\nor to parse certain web responses according to the cloud service it targets.\r\nhttps://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/\r\nPage 11 of 19\n\nFigure 11. Common design shared by three CloudScout modules\r\nThe streamlined design of CloudScout and the core logic of the Cloud namespace is illustrated in Figure 12.\r\nFigure 12. Overview of the design of a CloudScout module\r\nAuthentication\r\nCookies in general are not very well documented by web platforms. Authentication cookies tend to have short\r\nlifespans and are frequently updated as the user interacts with the platform via a web browser. However, as long as\r\nthe sessions are still valid, the cookies listed in Table 4 can be abused by CloudScout to access and download\r\nvaluable data from cloud services.\r\nTable 4. Authentication cookies handled by the CloudScout modules\r\nhttps://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/\r\nPage 12 of 19\n\nService Domain Required cookies\r\nGoogle Drive\r\ndrive.google.com\r\naccounts.google.com\r\nOSID, HSID, SID, SSID, APISID, SAPISID, LSID\r\nGmail\r\nmail.google.com\r\naccounts.google.com\r\nOutlook\r\noutlook.live.com\r\nlogin.live.com\r\nX-OWA-CANARY, RPSSecAuth, ClientId\r\nX-OWA-CANARY is a security cookie used by Microsoft Outlook Web Access (OWA) to prevent cross-site\r\nrequest forgery attacks. It is assigned at the beginning of each session when the user is authenticated.\r\nCloudScout’s COL module implements a mechanism to retrieve this cookie when it is not available, by\r\nestablishing a new session using the RPSSecAuth and ClientId cookies to reauthenticate, as shown in Figure 13.\r\nFigure 13. Code to get the X-OWA-CANARY cookie\r\nData retrieval\r\nAfter authentication, the CloudScout modules browse the compromised cloud service accounts in a manner\r\nsimilar to how a regular user would with a web browser. To achieve this, each CloudScout module is equipped\r\nwith a set of hardcoded web requests to perform, along with complex HTML parsers, which identify and extract\r\nthe data of interest from the web responses.\r\nFor example, the CGM and COL modules are interested in mail folder listings and email messages, targeting\r\nGmail and Outlook, respectively. Figure 14 shows the steps that CGM performs to extract email headers, email\r\nbodies, and attachments from the HTML content served by the Gmail web server.\r\nhttps://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/\r\nPage 13 of 19\n\nFigure 14. Code to parse an HTML page to extract email message data\r\nOn the other hand, CGD is interested in user information from Google Drive; a full directory hierarchy; and files\r\nwith extensions .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, and .txt. Figure 15 is the code snippet from CGD to\r\ngenerate a download URL for a document.\r\nFigure 15. Code to generate a download URL from Google Drive\r\nThe module appends a custom header to each downloaded item, whether it is a file or an email. This custom\r\nheader includes metadata of the item such as client ID (assigned by the malware), email subject, or filename, and\r\nthe username of the cloud service (Table 5). The added header most likely allows stolen data to be processed at\r\nscale, by automated systems, for quick indexing or to perform analysis.\r\nTable 5. Custom headers for downloaded email and files\r\nMail header File header\r\ntasktype:\r\ntaskid:\r\nclientid:\r\nobjectname:\r\nmailid:\r\ntasktype:\r\ntaskid:\r\nclientid:\r\nobjectname:\r\nusername:\r\nhttps://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/\r\nPage 14 of 19\n\nMail header File header\r\nusername:\r\nsubject:=?utf-8?b?\u003cbase64_encoded_data\u003e?=\r\nfroms:=?utf-8?b?\u003cbase64_encoded_data\u003e?=\r\ntos:=?utf-8?b?\u003cbase64_encoded_data\u003e?=\r\ntype:\r\nsourceflag: {Outlook|Gmail}\r\nfilepath:\r\nmailcountry:\r\nattachment:\r\nmailboxtype:{outlook|gmail}\r\nfolder:=?utf-8?b? \u003cbase64_encoded_data\u003e?=\r\ntime: \u003cyyyy-MM-dd HH:mm:ss\u003e\r\ncaptime: \u003cyyyy-MM-dd HH:mm:ss\u003e\r\nskydrivetype:googledrive\r\npath:=?utf-8?b? ?\u003cbase64_encoded_data\u003e?=\r\nsource:googledrive\r\nfilename:=?utf-8?b? ?\u003cbase64_encoded_data\u003e?=\r\nkey:\r\nfiletime: \u003cyyyy-MM-dd HH:mm:ss\u003e\r\nsize:\r\ntype:googledrive\r\ncaptime: \u003cyyyy-MM-dd HH:mm:ss\u003e\r\nAfter adding the header, each item is encrypted using the same RC4 key as used for the configuration file and\r\nstored with the filename \u003cpseudorandom_GUID\u003e.\u003ccustom_extension\u003e, where \u003ccustom_extension\u003e indicates the\r\ntype of stolen data, as listed in Table 6.\r\nTable 6. Filename extension for each data category\r\nData category CGD CGM or COL\r\nPersonal information .pc_plug_googledrive_profile N/A\r\nEmail N/A .pc_plug_gmck_email\r\nDirectory listing .pc_plug_googledrive_filelist .pc_plug_gmck_email_list\r\nFile .pc_plug_googledrive_file N/A\r\nNext, all items are compressed into a ZIP archive named \u003cpseudorandom_GUID\u003e.hxkz_zip and placed in a\r\ndirectory for exfiltration as specified by the datapath field of the configuration. This archive can later be\r\nexfiltrated by either MgBot or Nightdoor. In the final step, the CloudScout modules do a full cleanup, removing\r\nall artifacts generated during the collection cycle except the files to be exfiltrated, before checking the dealone flag\r\nto either exit or to continue and wait for a new configuration file to start a new collection cycle.\r\nConclusion\r\nCloudScout is a .NET toolset used by Evasive Panda to steal data stored in cloud services. It is implemented as an\r\nextension to MgBot and uses the pass-the-cookie technique to hijack authenticated sessions from web browsers.\r\nIn this blogpost, we have highlighted the professional design behind the CloudScout framework to demonstrate\r\nEvasive Panda’s technical capabilities and the important roles that cloud-stored documents, user profiles, and\r\nemail play in its espionage operations.\r\nhttps://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/\r\nPage 15 of 19\n\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.\r\nFiles\r\nSHA-1 Filename Detection Description\r\nC70C3750AC6B9D7B033A\r\nDDEF838EF1CC28C262F3\r\npmsrvd.dll Win32/Agent.AELQ MgBot loader.\r\n812124B84C5EA455F714\r\n7D94EC38D24BDF159F84\r\npmsrvd.dll Win32/Agent.AELQ MgBot loader.\r\nAD6C84859D413D627AC5\r\n89AEDF9891707E179D6C\r\n3.exe Win32/Agent.ADJV MgBot dropper.\r\n3DD958CA6EB7E8F0A061\r\n2D295453A3A10C08F5FE\r\n1.exe Win32/Agent.ADJV MgBot dropper.\r\n547BD65EEE05D744E075\r\nC5E12FB973A74D42438F\r\ndoc.exe Win32/Agent.AFXX Nightdoor dropper.\r\n348730018E0A5554F0F0\r\n5E47BBA43DC0F55795AC\r\nDJCU.dll Win32/Nightdoor.A Nightdoor loader.\r\n9B6A473820A72111C1A3\r\n8735992B55C413D941EE\r\nCommonUtilities.dll MSIL/Agent.UEK\r\nCloudScout internal\r\nlibrary package\r\nversion 1.0.0.\r\n621E2B50A979D77BA3F2\r\n71FAB94326CCCBC009B4\r\nCGM.dll MSIL/CloudScout.A\r\nCloudScout Gmail\r\nstealer version\r\n1.0.14.\r\nC058F9FE91293040C8B0\r\n908D3DAFC80F89D2E38B\r\nCGM.dll MSIL/CloudScout.A\r\nCloudScout Gmail\r\nstealer version\r\n1.0.13.\r\n4A5BCDAAC0BC315EDD00\r\nBB1FCCD1322737BCBEEB\r\nCGM.dll MSIL/CloudScout.A\r\nCloudScout Gmail\r\nstealer version\r\n1.0.18.\r\nhttps://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/\r\nPage 16 of 19\n\nSHA-1 Filename Detection Description\r\n67028AEB095189FDF18B\r\n2D7B775B62366EF224A9\r\nCGD.dll MSIL/CloudScout.A\r\nCloudScout Google\r\nDrive stealer version\r\n1.0.11.\r\nB3556D1052BF5432D39A\r\n6068CCF00D8C318AF146\r\nCGD.dll MSIL/CloudScout.A\r\nCloudScout Google\r\nDrive stealer version\r\n1.0.14.\r\n84F6B9F13CDCD8D9D15D\r\n5820536BC878CD89B3C8\r\nCGD.dll MSIL/CloudScout.A\r\nCloudScout Google\r\nDrive stealer version\r\n1.0.17.\r\n93C1C8AD2AF64D0E4C13\r\n2F067D369ECBEBAE00B7\r\nCOL.dll MSIL/CloudScout.A\r\nCloudScout Outlook\r\nWeb Access stealer\r\nversion 1.0.10.\r\n8EAA213AE4D482938C5A\r\n7EC523C83D2C2E1E8C0E\r\nCommonUtilities.dll MSIL/CloudScout.A\r\nCloudScout internal\r\nlibrary package\r\nversion 1.0.8.\r\nA1CA41FDB61F03659168\r\n050DE3E208F0940F37D8\r\nCommonUtilities.dll MSIL/CloudScout.A\r\nCloudScout internal\r\nlibrary package\r\nversion 1.0.11.\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n103.96.128[.]44 N/A IRT-WUZHOUHULIAN-HK 2022-05-26\r\nMgBot and Nightdoor C\u0026C\r\nserver.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 15 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.004\r\nAcquire Infrastructure:\r\nServer\r\nEvasive Panda acquired servers for the C\u0026C\r\ninfrastructure of MgBot and Nightdoor.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nEvasive Panda developed custom implants\r\nsuch as MgBot, CloudScout, and Nightdoor.\r\nhttps://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/\r\nPage 17 of 19\n\nTactic ID Name Description\r\nExecution\r\nT1569.002\r\nSystem Services: Service\r\nExecution\r\nMgBot is executed as a Windows service.\r\nT1106 Execution through API\r\nThe MgBot installer uses Windows APIs to\r\ncreate processes. Gmck uses\r\nExecuteInDefaultAppDomain to execute\r\nCGM in the CLR.\r\nPersistence T1543.003\r\nCreate or Modify System\r\nProcess: Windows Service\r\nMgBot replaces the existing Application\r\nManagement service DLL path with its own.\r\nPrivilege\r\nEscalation\r\nT1548.002\r\nAbuse Elevation Control\r\nMechanism: Bypass User\r\nAccess Control\r\nMgBot performs UAC bypass.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files\r\nor Information\r\nGmck decrypts Chrome, Edge, and Firefox\r\nweb browser databases to extract cookies.\r\nT1112 Modify Registry MgBot modifies the registry for persistence.\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nGmck obfuscates the configuration that\r\ncontains cookies.\r\nT1550.004\r\nUse Alternate\r\nAuthentication Material:\r\nWeb Session Cookie\r\nCloudScout uses stolen cookies to access\r\ncloud resources.\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\nCloudScout modules are installed to\r\n%ProgramData%\\NVIDlA to mimic an\r\nNVIDIA directory.\r\nCredential\r\nAccess\r\nT1539 Steal Web Session Cookie Gmck steals cookies.\r\nDiscovery T1082\r\nSystem Information\r\nDiscovery\r\nMgBot collects system information.\r\nCollection\r\nT1560.001\r\nArchive Collected Data:\r\nArchive via Utility\r\nCloudScout modules use SharpZipLib to\r\ncompress data before exfiltration.\r\nT1530\r\nData from Cloud Storage\r\nObject\r\nCGD downloads files stored on Google\r\nDrive.\r\nT1114.002\r\nEmail Collection: Remote\r\nEmail Collection\r\nCGM and COL access and collect emails\r\nfrom Gmail and Outlook Web Access,\r\nrespectively.\r\nhttps://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/\r\nPage 18 of 19\n\nTactic ID Name Description\r\nCommand\r\nand Control\r\nT1095\r\nNon-Application Layer\r\nProtocol\r\nMgBot communicates with its C\u0026C via\r\nUDP.\r\nExfiltration T1041\r\nExfiltration Over C2\r\nChannel\r\nMgBot exfiltrates collected data to its C\u0026C.\r\nSource: https://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/\r\nhttps://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/" ], "report_names": [ "cloudscout-evasive-panda-scouting-cloud-services" ], "threat_actors": [ { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434671, "ts_updated_at": 1775826789, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fadb2d02c0d1ffcc9a87048700de5b1896869137.pdf", "text": "https://archive.orkl.eu/fadb2d02c0d1ffcc9a87048700de5b1896869137.txt", "img": "https://archive.orkl.eu/fadb2d02c0d1ffcc9a87048700de5b1896869137.jpg" } }