Home/ Threat Actors/ Daggerfly

🇨🇳Daggerfly

🇨🇳 Daggerfly is a tracked threat actor in the Clankerusecase corpus. CN-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 17 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1034) ↗

14Use cases

0Articles

17Techniques

0IOCs

About this actor (MITRE)

[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. [Daggerfly](https://attack.mitre.org/groups/G1034) is associated with exclusive use of [MgBot](https://attack.mitre.org/software/S1146) malware and is noted for several potential supply chain infection campaigns.(Citation: Symantec Daggerfly 2023)(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 20

Known aliases

DaggerflyEvasive PandaBRONZE HIGHLAND

Top techniques

T1003.002 · Security Account Manager T1012 · Query Registry T1036.003 · Rename Legitimate Utilities

All other tracked techniques

T1053.005 · Scheduled Task T1059.001 · PowerShell T1071.001 · Web Protocols T1082 · System Information Discovery T1105 · Ingress Tool Transfer T1136.001 · Local Account T1189 · Drive-by Compromise T1195.002 · Compromise Software Supply Chain T1204.001 · Malicious Link T1218.011 · Rundll32 T1553.002 · Code Signing T1574.001 · DLL T1584.004 · Server T1587.002 · Code Signing Certificates

Detection use cases (14)

Daggerfly (Evasive Panda) MgBot loader: signed-app side-loaded DLL invoked via rundll32 from user-writable path AI · profile S Daggerfly MgBot persistence: scheduled task launching rundll32 against user-writable DLL AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package-manager child process credential fan-out with public egress (Mini Shai-Hulud / TeamPCP worm chain) MITRE match Post-Auth Privilege Boundary Crossing on Edge/Management Appliances (low-priv -> admin within 10m) MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Vendor / Third-Party OAuth App or SP Sign-in From Unbaselined Egress Followed by Bulk SaaS Object Read MITRE match