Tibetan protestors
Image: Norbu Gyachung via Unsplash

Tibetans targeted by China-linked supply chain attacks using malicious language translators

Tibetans are being targeted with corrupted language translation software in a cyber espionage campaign that began last September, according to new research.

The attackers — which cybersecurity firm ESET said are part of the Chinese government hacking group Evasive Panda — targeted Tibetans living in India, Taiwan, Hong Kong, Australia and the U.S.

In addition to the corrupt Windows and macOS software, ESET said the campaign also involved the compromise of the website of an organizer of an annual religious gathering called the Monlam Festival, which takes place in India each year.

The hackers added malicious code to the website to create a watering-hole attack — where attackers target specific groups by compromising popular platforms.

“We believe that the attackers capitalized, at the time, on the upcoming Monlam festival in January and February of 2024 to compromise users when they visited the festival’s website-turned-watering-hole,” ESET said. “In addition, the attackers compromised the supply chain of a software developer of Tibetan language translation apps.”

ESET researcher Anh Ho, who discovered the attack, said the Evasive Panda hackers used several different types of malicious tools that they have spotted in other attacks on networks across East Asia.

Most notably, the group used MgBot — Evasive Panda’s flagship Windows backdoor that has existed since at least 2012 and is used to steal files and credentials and record keystrokes. In April, Evasive Panda used the malware to target a telecom company in Africa.

The majority of MgBot’s plugins are designed to steal information from popular Chinese applications such as QQ, WeChat, QQBrowser and Foxmail — all developed by Tencent.

Ho said ESET also discovered another backdoor that has not been publicly documented yet, naming it “Nightdoor.” ESET noted that they discovered Nightdoor was used as far back as 2020, when it was deployed on the machine of a “high-profile target in Vietnam.”

“The Nightdoor backdoor, used in the supply-chain attack, is a recent addition to Evasive Panda’s toolset,” Ho added.

ESET said it initially discovered the campaign in January after finding malicious code buried in a website run by the Kagyu International Monlam Trust, an organization based in India that promotes Tibetan Buddhism internationally.

The researchers theorized that the compromise was likely intended to take advantage of interest in the festival, which is held every January in the Indian city of Bodhgaya. In conjunction with the website attack, the researchers also found that an Indian software development company producing Tibetan language translation software was also compromised, with the attackers corrupting applications that deployed malicious downloaders on both Windows and macOS devices.

ESET found another compromise of a Tibetan news website called Tibetpost that was used to host the malicious payloads.

The use of MgBot is what led to ESET attributing the campaign to Evasive Panda — which has used the malware in attacks on a religious organization in Taiwan and elsewhere.

Evasive Panda has been operating since 2012, conducting dozens of attacks aligning with China’s geopolitical interests on government entities in Myanmar, the Philippines, Taiwan and Vietnam.

Since 2020, ESET said it has seen Evasive Panda repeatedly hijack the update processes of legitimate software as a way to deliver its malware.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.