The most recent advancements indicate that the gang is employing a single framework to efficiently target Windows, Linux, macOS, and Android operating systems.
The researchers saw the group using new malware versions in recent operations against Taiwanese organizations and a US NGO operating in China.
The Evolution of Daggerfly
Daggerfly has been active for over a decade, conducting espionage operations both internationally and within China. Their primary targets have included government agencies, defense contractors, and various industries critical to national security. Over the years, Daggerfly has demonstrated a high level of sophistication in their cyber operations, continually evolving their tactics, techniques, and procedures (TTPs) to stay ahead of detection mechanisms.
Symantec reported in April 2023 on a Daggerfly campaign targeting an African telecoms business, in which the gang employed new plugins written with the MgBot malware platform.
In March 2024, ESET identified persistent Daggerfly campaigns targeting Tibetans in multiple countries and territories. The researchers observed the group using Nightdoor, a previously undocumented backdoor.
Daggerfly appears to be capable of responding to disclosure by quickly updating its toolset and continuing its espionage efforts with minimal disturbance.
The Upgraded Malware Arsenal
Symantec stated that it discovered proof that Daggerfly had created the macOS backdoor Macma. Macma was initially documented by Google in 2021, however, it appears to have been used since at least 2019.
According to Google's early study, the modular backdoor provides a variety of data exfiltration capabilities, such as device fingerprinting, command execution, screen capture, keylogging, audio recording, and file uploading and downloading.
A second version of Macma includes incremental improvements to the existing capabilities, such as more debug logging and updated modules in the appended data.
Its main module showed signs of more comprehensive changes, such as new logic to collect a file's system listing and changed code in the AudioRecorderHelper function.
Symantec linked Macma to Daggerfly after discovering two variants of the Macma backdoor connected to a command-and-control (C&C) server also used by a MgBot dropper.
Furthermore, Macma and other well-known Daggerfly malware, such as Mgbot, incorporate code from a single, shared library or framework that has been used to create threats for Windows, macOS, Linux, and Android platforms.
The researchers also noted Daggerfly's usage of the Windows backdoor Suzafk, which ESET initially identified as Nightdoor in March 2024.
Implications for Cybersecurity
Suzafk is a multi-stage backdoor that can use TCP or OneDrive for command and control. It was created using the same shared library as Mgbot, Macma, and several other Daggerfly utilities.
The researchers found a configuration indicating that the ability to connect to OneDrive is in development or exists in other malware copies.
In addition to the tools listed above, Symantec claims Daggerfly can Trojanize Android APKs, SMS interception tools, DNS request interception tools, and even malware families targeting the Solaris operating system.
The Broader Context of Cyber Espionage
Daggerfly’s activities are part of a broader trend of state-sponsored cyber espionage. Nation-states invest heavily in cyber capabilities to gain strategic advantages over their adversaries. These activities often target critical infrastructure, intellectual property, and sensitive government information.
The international community has recognized the threat posed by state-sponsored cyber espionage, leading to increased efforts to develop norms and agreements to govern state behavior in cyberspace. However, the covert nature of these operations makes attribution and enforcement challenging.