Researchers have linked a previously unattributed Mac backdoor and a new Windows Trojan to a Chinese APT group known as Daggerfly that has been around for over a decade and targets organizations and individuals around the world. The group appears to be using the same modular malware development framework to create threats for Windows, Linux, macOS and Android.
In recent campaigns investigated by researchers from Broadcom’s Symantec Threat Hunting team, the APT group, also known in the security industry as Evasive Panda and Bronze Highland, targeted organizations from Taiwan and a US NGO based in China. The group has been in operation since 2012 and is highly capable, using a variety of attack techniques including watering hole web compromises, exploiting vulnerabilities and even trojanized software updates.
Earlier this year researchers from cybersecurity firm ESET reported that Evasive Panda targeted Tibetans through the compromised website of an important religious festival and a supply-chain compromise involving Tibetan language translation software. Last year, Symantec researchers also reported a Daggerfly attack against a telecommunications company from Africa.

The group’s flagship malware implant for Windows since 2018 has been a custom modular backdoor program called MgBot with capabilities that can be extended with different plug-ins. However, it turns out that MgBot is just one of the backdoors that Daggerfly has developed using the same framework that powers MgBot.

The unattributed Macma macOS backdoor

Back in November 2021, researchers from Google’s Threat Analysis Group (TAG) reported a watering hole attack involving compromised websites in Hong Kong that were serving iOS and macOS exploits to visitors. The macOS attack chain exploited a zero-day vulnerability at the time to deliver a previously undocumented backdoor that Google TAG named Macma. Watering hole attacks are campaigns where specific websites of interest to a target group are compromised, in this case the websites of a media outlet and a prominent pro-democracy labor and political group, the goal being to identify and spy on democracy supporters.
The Macma backdoor was capable of fingerprinting devices, performing screen captures, downloading files to and uploading files from devices, allowing attackers to execute terminal commands, recording audio and keylogging. Even though the malware was subsequently analyzed by multiple companies and researchers, it was not attributed to any particular APT group — until now.
The Symantec researchers found recent versions of Macma that show continued development and improvement of various modules and features. Moreover, these newer variants connected to the same command-and-control (C&C) as an MgBot implant and had code similarities that suggest they were developed with the same framework used to develop MgBot.