Evasive Panda

Actor Type	Nation State
Attributed to Nation	China

Evasive Panda is an intrusion set originally identified by researchers from Malwarebytes. The group has been active since at least 2014 and is reported as being likely sponsored by the Chinese government.

The group implements its own custom malware framework with a modular architecture that allows its backdoor, known as MgBot, to install additional functionality. Evasive Panda have been observed delivering malware through updates for popular Chinese software as well as launching supply chain and watering hole attacks.

Cyber Threat Graph Context

Explore how this Intrusion Set relates to the wider threat graph

Evasive Panda Threat Reports

Report

Evasive Panda leverages Monlam Festival to target Tibetans

This report by researchers at ESET describes a campaign which they attribute to the China-aligned APT Evasive Panda. The report describes a ...

View Source

References

MITRE ATT&CK Techniques

MITRE ATT&CK techniques observed in use by this intrusion set.

Search:

ATT&CK ID	Title	Associated Tactics
T1082	System Information Discovery	Discovery
T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation
T1074.001	Local Data Staging	Collection
T1020	Automated Exfiltration	Exfiltration
T1070.009	Clear Persistence	Defense Evasion
T1588.003	Code Signing Certificates	Resource Development
T1012	Query Registry	Discovery
T1567.002	Exfiltration to Cloud Storage	Exfiltration
T1005	Data from Local System	Collection
T1119	Automated Collection	Collection
T1083	File and Directory Discovery	Discovery
T1102	Web Service	Command and Control
T1095	Non-Application Layer Protocol	Command and Control
T1608.004	Drive-by Target	Resource Development
T1071.001	Web Protocols	Command and Control
T1036.004	Masquerade Task or Service	Defense Evasion
T1036.005	Match Legitimate Name or Location	Defense Evasion
T1027.009	Embedded Payloads	Defense Evasion
T1543.003	Windows Service	Persistence, Privilege Escalation
T1189	Drive-by Compromise	Initial Access
T1195.002	Compromise Software Supply Chain	Initial Access
T1140	Deobfuscate/Decode Files or Information	Defense Evasion
T1571	Non-Standard Port	Command and Control
T1518	Software Discovery	Discovery
T1057	Process Discovery	Discovery
T1572	Protocol Tunneling	Command and Control
T1583.006	Web Services	Resource Development
T1584.004	Server	Resource Development
T1587.001	Malware	Resource Development
T1585.003	Cloud Accounts	Resource Development
T1033	System Owner/User Discovery	Discovery
T1055.001	Dynamic-link Library Injection	Defense Evasion, Privilege Escalation
T1106	Native API	Execution
T1560	Archive Collected Data	Collection
T1049	System Network Connections Discovery	Discovery
T1562.004	Disable or Modify System Firewall	Defense Evasion
T1087.001	Local Account	Discovery
T1620	Reflective Code Loading	Defense Evasion
T1583.004	Server	Resource Development
T1070.004	File Deletion	Defense Evasion
T1574.002	DLL Side-Loading	Defense Evasion, Persistence, Privilege Escalation

Showing 1 to 41 of 41 entries