Bronze Highland

Description

(SecureWorks) BRONZE HIGHLAND has been observed using spearphishing as an initial infection vector to deploy the MgBot remote access trojan against targets in Hong Kong. Third party reporting suggests the threat group also targets India, Malaysia and Taiwan and leverages Cobalt Strike and KsRemote Android Rat. CTU researchers assess with moderate confidence that BRONZE HIGHLAND operates on behalf of China and has a remit covering espionage against domestic human rights and pro-democracy advocates and nations neighbouring China.

Names

Name	Name-Giver
Bronze Highland	SecureWorks
Evasive Panda	Malwarebytes
Daggerfly	Symantec
Storm Cloud	Volexity
StormBamboo	Volexity
TAG-102	Recorded Future
TAG-112	Recorded Future
Digging Taurus	Palo Alto

Country

• China

Sponsor

State-sponsored

Motivation

• Information theft and espionage

First Seen

2012

Observed Sectors

• Telecommunications
• human rights and pro-democracy advocates

Observed Countries

• China
• Hong Kong
• India
• Macao
• Malaysia
• Myanmar
• Nigeria
• Philippines
• Taiwan
• Tibet
• Vietnam
• Africa

Tools

• CloudScout
• Cobalt Strike
• GIMMICK
• Nightdoor
• Macma
• MgBot
• KsRemote
• RELOADEXT
• Living off the Land

Operations

• 2020: Evasive Panda APT group delivers malware via updates for popular Chinese software https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/
• 2021 Late: Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/
• 2022: CloudScout: Evasive Panda scouting cloud services https://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/
• 2022-11: Daggerfly: APT Actor Targets Telecoms Company in Africa https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt-attacks-telecoms-africa-mgbot
• 2023 Mid: StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/
• 2023-09: Evasive Panda leverages Monlam Festival to target Tibetans https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/
• 2024-05: China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike https://go.recordedfuture.com/hubfs/reports/cta-cn-2024-1112.pdf
• 2024-07: Daggerfly: Espionage Group Makes Major Update to Toolset https://symantec-enterprise-blogs.security.com/threat-intelligence/daggerfly-espionage-updated-toolset

Information

• https://www.secureworks.com/research/threat-profiles
• https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/
• https://vb2020.vblocalhost.com/uploads/VB2020-43.pdf

Other Information

Uuid

8c9d0ce1-0e92-4de2-b8e0-053b16ad37ed

Last Card Change

2025-06-27