S1146: MgBot
Analyst context for executives and security teams
MgBot matters because MITRE describes it as a long-running, modular Windows malware framework associated with Daggerfly operations and plugins for credential access, discovery, and collection behaviors. For leaders, the practical issue is not a single signature: a modular tool can present as multiple behaviors across identity, endpoint, and data-access controls, so readiness depends on whether the organization can see and contain credential theft, internal reconnaissance, and sensitive data collection on Windows endpoints.
Executive priority
Prioritize MgBot as an incident-readiness and control-validation use case for Windows environments. The related ATT&CK behaviors touch credential dumping, browser/password-store theft, account and domain discovery, network/service discovery, removable media, clipboard, audio, local data, and database collection. Executives should ask whether SOC and IR teams can prove visibility into those behavior classes, whether identity controls can limit damage if credentials or cookies are stolen, and whether audit evidence shows monitoring for sensitive data access rather than only malware-name detections.
Technical view
ATT&CK provides no official detection text for MgBot, so defenders should validate coverage behaviorally against the linked techniques: T1003, T1056.001, T1539, T1555, T1555.003 for credential access; T1018, T1033, T1046, T1057, T1087.001, T1087.002, T1482 for discovery; and T1005, T1025, T1115, T1123, T1213.006 for collection. In a Windows-focused scope, SOC teams should correlate endpoint events showing credential-store access, browser credential or cookie access, unusual user/domain/network enumeration, and collection from local files, removable media, clipboard, audio devices, or databases. Treat any detection based only on malware family name as incomplete because the supplied object emphasizes a modular plugin design.
Likely telemetry
- Windows endpoint detection and response events for process execution, process access, file access, and suspicious child-process activity
- Authentication and identity logs that can show account use after possible credential or session theft
- Directory and domain query logs for local account, domain account, and domain trust discovery
- Network telemetry for remote system and network service discovery from endpoints
- Browser and password-store access evidence, where legally and technically collectable
Detection direction
- Use behavior-based detections mapped to the related techniques rather than relying on an MgBot label or hash alone.
- Correlate credential-access signals with discovery and collection activity; the combination is more decision-useful than any single noisy event.
- Validate visibility specifically on Windows endpoints, since Windows is the supplied platform for this malware object.
- Tune expected administrative enumeration separately from suspicious enumeration by unusual users, hosts, timing, or process context.
- Check blind spots around browser credential stores, session cookies, clipboard data, removable media, audio capture, and database access; these are often less consistently logged than process creation.
Mitigation priorities
- Reduce credential value first: enforce least privilege, restrict administrative rights, and strengthen identity controls so credential dumping or browser/password-store theft has limited blast radius.
- Harden and monitor Windows endpoints for credential-store access, suspicious discovery, and sensitive data collection behaviors.
- Limit unnecessary access to local sensitive files, removable media, databases, and collaboration or browser-stored credentials based on business need.
- Improve segmentation and access governance so remote system discovery and service discovery do not translate easily into lateral movement opportunities.
- Prepare IR procedures for modular malware cases: isolate affected Windows hosts, preserve endpoint and identity evidence, rotate exposed credentials or sessions when supported by findings, and review discovered/collected data scope.
Analyst notes and limits
The strongest decision value is to treat MgBot as a coverage test for the behaviors its plugins are reported by ATT&CK relationships to use. The object is tied to Daggerfly in the official description, but this take does not infer local exposure, active exploitation, or guaranteed detection. The related technique set points to identity compromise and data collection risk, making it relevant to managed detection, incident response, IAM, data protection, and audit readiness.
The supplied ATT&CK object has no official detection section, no aliases, no tactics listed on the malware object itself, and only Windows as the platform. Relationship descriptions include broader platform coverage for the techniques, but this summary does not expand MgBot platform scope beyond the supplied malware platform. Local telemetry, asset criticality, and observed indicators are required to assess exposure or detection quality.
MgBot
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1056.001 | Keylogging Sub-technique | MgBot includes keylogger payloads focused on the QQ chat application.CitationESET EvasivePanda 2023CitationSymantec Daggerfly 2023 |
| Enterprise | T1033 | System Owner/User Discovery | MgBot includes modules for identifying local users and administrators on victim machines.CitationSymantec Daggerfly 2023 |
| Enterprise | T1087.002 | Domain Account Sub-technique | MgBot includes modules for collecting information on Active Directory domain accounts.CitationSymantec Daggerfly 2023 |
| Enterprise | T1003 | OS Credential Dumping | MgBot includes modules for dumping and capturing credentials from process memory.CitationSymantec Daggerfly 2023 |
| Enterprise | T1555 | Credentials from Password Stores | MgBot includes modules for stealing stored credentials from Outlook and Foxmail email client software.CitationESET EvasivePanda 2023CitationSymantec Daggerfly 2023 |
| Enterprise | T1087.001 | Local Account Sub-technique | MgBot includes modules for identifying local administrator accounts on victim systems.CitationSymantec Daggerfly 2023 |
| Enterprise | T1213.006 | Databases Sub-technique | MgBot includes a module capable of stealing content from the Tencent QQ database storing user QQ message history on infected devices.CitationESET EvasivePanda 2023 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | MgBot includes modules for stealing credentials from various browsers and applications, including Chrome, Opera, Firefox, Foxmail, QQBrowser, FileZilla, and WinSCP.CitationESET EvasivePanda 2023CitationSymantec Daggerfly 2023 |
| Enterprise | T1005 | Data from Local System | MgBot includes modules for collecting files from local systems based on a given set of properties and filenames.CitationESET EvasivePanda 2023 |
| Enterprise | T1025 | Data from Removable Media | MgBot includes modules capable of gathering information from USB thumb drives and CD-ROMs on the victim machine given a list of provided criteria.CitationESET EvasivePanda 2023 |
| Enterprise | T1482 | Domain Trust Discovery | MgBot includes modules for collecting information on local domain users and permissions.CitationSymantec Daggerfly 2023 |
| Enterprise | T1115 | Clipboard Data | MgBot can capture clipboard data.CitationESET EvasivePanda 2023CitationSymantec Daggerfly 2023 |
| Enterprise | T1539 | Steal Web Session Cookie | MgBot includes modules that can steal cookies from Firefox, Chrome, and Edge web browsers.CitationESET EvasivePanda 2023 |
| Enterprise | T1018 | Remote System Discovery | MgBot includes modules for performing ARP scans of local connected systems.CitationSymantec Daggerfly 2023 |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1046 | Network Service Discovery | MgBot includes modules for performing HTTP and server service scans.CitationSymantec Daggerfly 2023 |
| Enterprise | T1123 | Audio Capture | MgBot can capture input and output audio streams from infected devices.CitationESET EvasivePanda 2023CitationSymantec Daggerfly 2023 |
Groups, software, and campaigns
G1034: Daggerfly
Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a6edd5b9cff8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Szappanos MgBot 2014
Gabor Szappanos. (2014, February 3). Needle in a haystack. Retrieved July 25, 2024.
Open source URL -
[2]
ESET EvasivePanda 2023
Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
Open source URL -
[3]
Symantec Daggerfly 2024
Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
Open source URL -
[4]
mitre-attack S1146Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.