G1034: Daggerfly
Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.[1][2][3][4]
Analyst context for executives and security teams
Daggerfly matters because ATT&CK describes it as a PRC-linked APT active since at least 2012 with reported targeting of individuals, government and NGO entities, and telecommunications companies in Asia and Africa. The material defensive issue is not just a named group: the mapped behavior combines supply-chain-style initial access, user-driven links or drive-by compromise, signed or renamed tooling, Windows persistence and credential access, and backdoor/RAT families including MgBot, Nightdoor, PlugX, and MacMa. For leaders, this is a useful scenario for testing whether endpoint, identity, software update trust, and incident response processes can handle a patient intrusion that may arrive through trusted software or normal web traffic rather than an obvious malware attachment.
Executive priority
Prioritize this as a resilience and assurance scenario where software trust, endpoint visibility, and credential containment are decisive. Organizations in or connected to the referenced sectors and regions should ask whether they can prove control over software update channels, detect suspicious use of legitimate Windows utilities, and respond quickly if local credentials or persistence mechanisms are discovered. This is also relevant to audit and compliance evidence: teams should be able to show logging, change control, code-signing validation, privileged account monitoring, and incident response procedures for supply chain and endpoint compromise scenarios.
Technical view
ATT&CK does not provide a detection section for Daggerfly, so SOC validation should be built from the relationships. Focus on Windows behaviors tied to MgBot, Nightdoor, PlugX, Reg, BITSAdmin, PowerShell, rundll32, scheduled tasks, SAM access, registry queries, DLL abuse, renamed legitimate utilities, local account creation, ingress tool transfer, and web-protocol command and control. Also account for macOS relevance through MacMa and cross-platform techniques such as malicious links, drive-by compromise, supply chain compromise, code signing, and tool transfer. Detection engineering should test behavior chains rather than single indicators: trusted update or web access followed by unusual process execution, persistence creation, credential material access, outbound HTTP/S-like traffic, and staging or transfer of additional tools.
Likely telemetry
- Endpoint process creation and command-line logs for PowerShell, rundll32, reg.exe, BITSAdmin, schtasks, renamed utilities, and DLL execution patterns
- Windows Registry access/change telemetry, especially discovery-oriented queries and persistence-relevant modifications
- Scheduled task creation, modification, and execution records
- Local account creation and privilege-related account management events
- Credential-access signals involving SAM/Registry access and SYSTEM-level activity
Detection direction
- Map existing detections to the related ATT&CK techniques rather than relying on the group name; the official object provides no group-specific detection guidance.
- Validate visibility for living-off-the-land utilities and abuse paths: Reg, BITSAdmin, PowerShell, rundll32, scheduled tasks, and renamed legitimate utilities.
- Tune for sequences: web or software-update-origin activity followed by new executable/DLL placement, signed-but-unusual binaries, persistence creation, registry discovery, credential access, and outbound web-protocol traffic.
- Review false positives carefully because several related behaviors use legitimate administration tools; baseline normal administrative use before escalating broadly.
- Ensure code-signing checks do not equate signed with trusted. The relationships include code-signing certificate development and code-signing abuse, so reputation, signer context, file path, parent process, and first-seen timing matter.
Mitigation priorities
- Start with software supply chain assurance: verify update-source integrity, restrict untrusted update paths, maintain application inventory, and require change-control evidence for software distribution.
- Harden endpoint execution controls for scripts, DLL loading, rundll32 abuse, renamed utilities, and unauthorized tool transfer without blocking legitimate administration blindly.
- Improve privileged and local account governance: alert on unexpected local account creation, reduce standing privilege, and monitor credential material access.
- Strengthen logging coverage before relying on analytics: process command line, registry, scheduled task, file/module, code-signing, account, and network egress telemetry are core to this scenario.
- Segment and monitor high-value government, NGO, telecom, and regionally exposed environments where the ATT&CK description makes the scenario more relevant.
Analyst notes and limits
The object is a group entry, not a procedure-level report. ATT&CK provides aliases, targeting context, malware/tool associations, and technique relationships, but no official Daggerfly detection text. The strongest defensive value comes from validating coverage across the related malware and techniques, especially MgBot and Nightdoor, supply chain compromise, code signing abuse, Windows living-off-the-land utilities, persistence, credential access, and web-protocol C2.
Platforms and tactics are not specified on the Daggerfly object itself; platform and tactic references above are derived only from related software and technique objects. Local relevance depends on the organization’s geography, sector, software dependencies, endpoint mix, and available telemetry. This summary does not establish current targeting, active exploitation, or guaranteed detection coverage.
Daggerfly
Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1003.002 | Security Account Manager Sub-technique | |
| Enterprise | T1587.002 | Code Signing Certificates Sub-technique | Daggerfly created code signing certificates to sign malicious macOS files.CitationESET EvasivePanda 2024 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Daggerfly has attempted to use scheduled tasks for persistence in victim environments.CitationESET EvasivePanda 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Daggerfly uses HTTP for command and control communication.CitationESET EvasivePanda 2024 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Daggerfly used PowerShell to download and execute remote-hosted files on victim systems.CitationSymantec Daggerfly 2023 |
| Enterprise | T1036.003 | Rename Legitimate Utilities Sub-technique | Daggerfly used a renamed version of rundll32.exe, such as "dbengin.exe" located in the `ProgramData\Microsoft\PlayReady` directory, to proxy malicious DLL execution.CitationSymantec Daggerfly 2023 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Daggerfly has used strategic website compromise to deliver a malicious link requiring user interaction.CitationESET EvasivePanda 2024 |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1082 | System Information Discovery | Daggerfly utilizes victim machine operating system information to create custom User Agent strings for subsequent command and control communication.CitationESET EvasivePanda 2024 |
| Enterprise | T1195.002 | Compromise Software Supply Chain Sub-technique | Daggerfly is associated with several supply chain compromises using malicious updates to compromise victims.CitationESET EvasivePanda 2023CitationESET EvasivePanda 2024 |
| Enterprise | T1574.001 | DLL Sub-technique | |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Daggerfly proxied execution of malicious DLLs through a renamed rundll32.exe binary.CitationSymantec Daggerfly 2023 |
| Enterprise | T1584.004 | Server Sub-technique | Daggerfly compromised web servers hosting updates for software as part of a supply chain intrusion.CitationESET EvasivePanda 2024 |
| Enterprise | T1136.001 | Local Account Sub-technique | Daggerfly created a local account on victim machines to maintain access.CitationSymantec Daggerfly 2023 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Daggerfly has used signed, but not notarized, malicious files for execution in macOS environments.CitationESET EvasivePanda 2024 |
| Enterprise | T1012 | Query Registry | |
| Enterprise | T1189 | Drive-by Compromise | Daggerfly has used strategic website compromise for initial access against victims.CitationESET EvasivePanda 2024 |
Groups, software, and campaigns
S0013: PlugX
S1146: MgBot
S0190: BITSAdmin
S1016: MacMa
MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. MacMa has been observed in the wild since November 2021.[1] MacMa shares command and control and unique libraries with MgBot and Nightdoor, indicating a relationship with the Daggerfly threat actor.[2]
S1147: Nightdoor
S0075: Reg
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9597b0d12423… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Daggerfly 2023
Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
Open source URL -
[2]
ESET EvasivePanda 2023
Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
Open source URL -
[3]
Symantec Daggerfly 2024
Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
Open source URL -
[4]
ESET EvasivePanda 2024
Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.
Open source URL -
[5]
BRONZE HIGHLAND
(Citation: Symantec Daggerfly 2023)(Citation: ESET EvasivePanda 2024)
-
[6]
Evasive Panda
(Citation: Symantec Daggerfly 2023)(Citation: ESET EvasivePanda 2024)
-
[7]
mitre-attack G1034Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.