China-linked Daggerfly hackers update their toolset, likely after exposure

An alleged Chinese government-backed hacking group has made a major update to its toolset and introduced several new versions of its malware, most likely to avoid detection after its older variants were uncovered, according to recent research.

The hackers from the Daggerfly group, also known as Evasive Panda and Bronze Highland, have added to their arsenal a new malware family based on the group’s most popular MgBot malware and a new version of the Macma macOS backdoor.

“Daggerfly appears to be capable of responding to exposure by quickly updating its toolset to continue its espionage activities with minimal disruption,” researchers from Symantec said in a report on Tuesday.

Daggerfly deployed the new tools in a number of recent attacks, including against organizations in Taiwan and a “high-profile international NGO” operating in two Chinese provinces.

The group delivered malware to victims through the messaging software developed by Chinese tech giant Tencent.

Shortly before the NGO attack last April, the hackers targeted an African telecommunications company using, among other tools, MgBot malware.

Malware updates

One of the tools that underwent several updates is a macOS backdoor known as Macma, first documented by Google in 2021.

Macma hasn’t previously been attributed to a specific group, but Symantec said it found evidence suggesting that it was developed by Daggerfly. For example, two variants of the Macma backdoor connected to a command-and-control (C&C) server that was also used by a MgBot dropper, researchers said.

Another addition to Daggerfly’s toolkit is a Windows backdoor dubbed Suzafk, first documented in March 2024 when it was observed being used alongside MgBot. Suzafk was developed using the same shared library as MgBot, Macma and several other Daggerfly tools, Symantec said.

“New findings provide a clearer picture of the capabilities and resources behind Daggerfly,” researchers said. “The group can create versions of its tools targeting most major operating system platforms.”

Symantec said it has seen evidence of the hackers' ability to infect Android apps, intercept text messages and internet requests, and even target the Solaris operating system with malware.