ClickCease Evasive Panda Cyber Attacks: Threat Actor Targets Tibetans

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Evasive Panda Cyber Attacks: Threat Actor Targets Tibetans

Wajahat Raja

March 22, 2024 - TuxCare expert team

Cybersecurity experts at ESET have come across a malicious campaign that targets Tibetans in many countries by leveraging the website of a religious gathering. Evasive Panda cyber attacks are associated with a China-linked Advanced Persistent Threat (APT) actor. 

The development comes days after the MoqHao cybersecurity threat that was also linked to Chinese hackers belonging to Roaming Mantis. The website of the Monlam Festival, the annual religious event, was compromised by adding malicious code to create a watering-hole attack. The target audience of the Evasive Panda cyber attacks was located in Hong Kong, India, Australia, Taiwan, and the United States. 

In this article, we will go into detail of the watering hole attacks and supply chain cyber-attacks by Evasive Panda and the cyber espionage techniques used by this advanced persistent threat (APT) actor.


Evasive Panda Background 

Evasive Panda has been on the scene since 2012. The advanced persistent threat (APT) group is linked with the Chinese government and has conducted several attacks on government entities in the Philippines, Taiwan, Myanmar, and Vietnam. These
Evasive Panda cyber attacks aligned with the geopolitical interests of China. 

Cyber Espionage Techniques by Evasive Panda

The cyber espionage campaign started last September and targets Tibetans with corrupted language translation software. This software is compatible with both Windows and macOS. Apart from the software, these
 cyber attacks also include the compromise of the website of a religious gathering, which happens in India every year. 

The reason why researchers were able to link the cyber attacks to China-linked hackers is because the malware tactics of Evasive Panda matched their earlier attacks on networks in East Asia. The researchers said that the intention of Evasive Panda  was most likely to take advantage of the Monlam festival which occurs in Bodhgaya, India.

Evasive Panda Cyber Attacks Uncovered

A Tibetan language translation software developed by an Indian software house was also attacked and compromised by Evasive Panda. The end goal of these attacks is to deploy a backdoor which is called MgBot or Nightdoor through malicious downloaders. 

ESET’s cybersecurity experts said that at least three websites were attacked and compromised by the Evasive Panda attackers for the purpose of carrying out supply chain cyber-attacks and watering hole attacks. 

Two executables are used as launchpads for Evasive Panda cyber attacks: “certificate.exe” for Windows and “certificate.pkg” for macOS. These executables help load the Nightdoor implant that abuses the Google Drive API. The backdoor has the ability to collect information and perform file operations. 


Cyberattacks are rising and are becoming more complex with each passing day and the Evasive Panda cyber attacks are the latest on the list. Falling prey to such cyberattacks can have drastic consequences like reputational and monetary damage. Given this, organizations are recommended to implement proactive cybersecurity measures to safeguard against such attacks and improve their security posture. 

The sources for this piece include articles in The Hacker News and The Record.


Evasive Panda Cyber Attacks: Threat Actor Targets Tibetans
Article Name
Evasive Panda Cyber Attacks: Threat Actor Targets Tibetans
Tibetans have been targeted by Evasive Panda cyber attacks via Watering Hole and Supply Chain attacks. Read more about the threat here!
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter