Evasive Panda [1] [2] [3] [4] [5] [6] [7], a Chinese-speaking APT group [4] [6], has been conducting a cyber-espionage campaign targeting Tibetan Buddhism-promoting organizations [4] [7], a Tibetan language translation development company [7], and the Tibetpost news website since at least September 2023.


The attackers used a strategic web compromise and a supply-chain compromise to deliver trojanized installers of Tibetan language software for Windows and macOS [4], deploying malicious downloaders for compromising website visitors with MgBot and a backdoor named Nightdoor [4]. The attackers compromised at least three websites [4], including the Kagyu International Monlam Trust and Tibetpost [1] [4], to carry out watering-hole attacks and host malicious payloads [4]. The attackers targeted users in India [4], Taiwan [2] [4] [6] [7], Hong Kong [1] [4] [6] [7], Australia [4] [6] [7], and the United States [4] [6], potentially capitalizing on international interest in the Kagyu Monlam Festival [4]. The campaign has been attributed to Evasive Panda based on the malware used and previous attacks by the group [4]. The attackers used a sophisticated victim selection mechanism based on IP addresses and system configurations [4], with the majority of targeted IP address ranges in India [4]. The Windows payload involved a dropper that deployed an intermediate downloader and eventually delivered Nightdoor as the final payload [4]. The macOS payload dropped an additional Mach-O executable to prevent re-compromising visitors to the watering-hole website [4]. The supply-chain compromise involved trojanized applications on a Tibetan software company’s website and Tibetpost [4], hosting payloads for Windows and macOS [1] [4]. The attackers used an MD5 hash-based mechanism to deliver payloads [4], with the hash computed based on the first three octets of the user’s IP address [4]. The campaign highlights the sophisticated tactics and targets of Evasive Panda in their cyber-espionage activities [4]. The campaign’s timing during the Monlam Festival suggests a strategic effort to capitalize on increased online activity [3]. This operation underscores ongoing cybersecurity threats posed by state-linked actors and emphasizes the importance of robust cybersecurity measures for potential targets [7]. Evasive Panda has been operating since 2012 [2], targeting government entities in Myanmar [2] [6], the Philippines [2], Taiwan [2] [4] [6] [7], and Vietnam [2], and has been known to hijack legitimate software update processes to deliver malware [2]. The attack, first detected in January 2024 [6], also targeted the Georgia Institute of Technology in the US and a software development company in India producing Tibetan language software [6]. ESET attributes the campaign to Evasive Panda based on the use of MgBot and Nightdoor [6], which have been previously deployed together in attacks against religious organizations in Taiwan [6]. Evasive Panda is a Chinese-speaking APT group active since 2012 [6], known for targeting government entities and organizations in Southeast and East Asia [1] [6].


The cyber-espionage campaign conducted by Evasive Panda highlights the need for enhanced cybersecurity measures to protect against sophisticated threats. The targeting of organizations promoting Tibetan Buddhism and the strategic timing of the attacks during the Monlam Festival demonstrate the group’s strategic capabilities. Moving forward, organizations must remain vigilant and implement robust security protocols to mitigate the risks posed by state-linked threat actors like Evasive Panda.


[1] https://www.prnewswire.com/news-releases/china-aligned-evasive-panda-leverages-religious-festival-to-target-and-spy-on-tibetans-eset-research-discovers-302082248.html
[2] https://thecyberpost.com/news/tibetans-targeted-by-china-linked-supply-chain-attacks-using-malicious-language-translators/
[3] https://www.infosecurity-magazine.com/news/evasive-panda-targets-tibet/
[4] https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/
[5] https://ciso2ciso.com/evasive-panda-targets-tibet-with-trojanized-software-source-www-infosecurity-magazine-com/
[6] https://itnerd.blog/2024/03/07/guest-post-china-aligned-evasive-panda-leverages-religious-festival-to-target-and-spy-on-tibetans-eset-research-discovers/
[7] https://bnnbreaking.com/tech/cybersecurity/evasive-panda-strikes-cyber-espionage-targets-tibetan-sites-and-users-globally