Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
China8 malware familiesExploits CVEs in the wild

Daggerfly

Also known asBRONZE HIGHLANDDaggerflyEvasive PandaStormBamboo

Daggerfly is a threat actor also referred to in the provided content as Bronze Highland, Evasive Panda, and StormBamboo. The content associates Daggerfly with several supply chain compromises in which malicious updates were used to compromise victims, including compromise of web servers hosting software updates as part of a supply chain intrusion. Reported tradecraft includes use of HTTP for command-and-control communication; use of victim operating system information to create custom User-Agent strings for subsequent command-and-control traffic; use of PowerShell to download and execute remotely hosted files; attempted use of scheduled tasks for persistence in victim environments; use of Reg to dump the SAM, System, and Security registry hives from victim machines; and use of signed but not notarized malicious files for execution in macOS environments.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

81 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics123 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
2 techniques
T1584
Compromise Infrastructure
T1608
Stage Capabilities
TA0001
Initial Access
2 techniques
T1091
Replication Through Removable Media
T1195
Supply Chain Compromise
TA0002
Execution
7 techniques
T1053
Scheduled Task/Job
T1053.005×4
Scheduled Task
T1059
Command and Scripting Interpreter
T1059.001×7
PowerShell
T1059.003
Windows Command Shell
T1127
Trusted Developer Utilities Proxy Execution
T1127.001
MSBuild
T1129
Shared Modules
T1197
BITS Jobs
T1204
User Execution
T1204.002
Malicious File
T1574×2
Hijack Execution Flow
TA0003
Persistence
5 techniques
T1053
Scheduled Task/Job
T1053.005×4
Scheduled Task
T1112
Modify Registry
T1197
BITS Jobs
T1543
Create or Modify System Process
T1543.001
Launch Agent
T1543.003
Windows Service
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
4 techniques
T1053
Scheduled Task/Job
T1053.005×4
Scheduled Task
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
T1543
Create or Modify System Process
T1543.001
Launch Agent
T1543.003
Windows Service
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0005
Stealth
12 techniques
T1027
Obfuscated Files or Information
T1027.001
Binary Padding
T1027.007
Dynamic API Resolution
T1027.013
Encrypted/Encoded File
T1036
Masquerading
T1036.004
Masquerade Task or Service
T1036.005
Match Legitimate Resource Name or Location
T1070
Indicator Removal
T1070.002
Clear Linux or Mac System Logs
T1070.004
File Deletion
T1070.006
Timestomp
T1070.007
Clear Network Connection History and Configurations
T1127
Trusted Developer Utilities Proxy Execution
T1127.001
MSBuild
T1140
Deobfuscate/Decode Files or Information
T1197
BITS Jobs
T1218
System Binary Proxy Execution
T1218.011
Rundll32
T1480
Execution Guardrails
T1480.002
Mutual Exclusion
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
T1564
Hide Artifacts
T1564.001
Hidden Files and Directories
T1564.003
Hidden Window
T1574×2
Hijack Execution Flow
T1620
Reflective Code Loading
TA0112
Defense Impairment
3 techniques
T1112
Modify Registry
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
T1553
Subvert Trust Controls
T1553.001
Gatekeeper Bypass
T1553.002×2
Code Signing
TA0006
Credential Access
5 techniques
T1003×2
OS Credential Dumping
T1056
Input Capture
T1056.001
Keylogging
T1539
Steal Web Session Cookie
T1552
Unsecured Credentials
T1552.002
Credentials in Registry
T1555
Credentials from Password Stores
T1555.001
Keychain
T1555.003
Credentials from Web Browsers
TA0007
Discovery
17 techniques
T1012×3
Query Registry
T1016
System Network Configuration Discovery
T1018
Remote System Discovery
T1033
System Owner/User Discovery
T1046
Network Service Discovery
T1049
System Network Connections Discovery
T1057
Process Discovery
T1082×2
System Information Discovery
T1083
File and Directory Discovery
T1087
Account Discovery
T1087.001
Local Account
T1087.002
Domain Account
T1120
Peripheral Device Discovery
T1124
System Time Discovery
T1135
Network Share Discovery
T1482
Domain Trust Discovery
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
T1518
Software Discovery
T1614
System Location Discovery
TA0008
Lateral Movement
3 techniques
T1021
Remote Services
T1091
Replication Through Removable Media
T1570
Lateral Tool Transfer
TA0009
Collection
8 techniques
T1005
Data from Local System
T1025
Data from Removable Media
T1056
Input Capture
T1056.001
Keylogging
T1074
Data Staged
T1074.001
Local Data Staging
T1113
Screen Capture
T1115
Clipboard Data
T1123
Audio Capture
T1213
Data from Information Repositories
T1213.002
Sharepoint
TA0011
Command and Control
6 techniques
T1071
Application Layer Protocol
T1071.001×4
Web Protocols
T1071.004
DNS
T1095
Non-Application Layer Protocol
T1102
Web Service
T1102.003
One-Way Communication
T1105×2
Ingress Tool Transfer
T1571
Non-Standard Port
T1573
Encrypted Channel
T1573.001
Symmetric Cryptography
TA0010
Exfiltration
2 techniques
T1041
Exfiltration Over C2 Channel
T1048
Exfiltration Over Alternative Protocol
T1048.003
Exfiltration Over Unencrypted Non-C2 Protocol
ARSENAL

Associated malware families

8 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
MgBotDaggerfly is uniquely associated with the use of MgBot since at least 2012.4Mar 18, 2026
Cobalt StrikeTAG-112 compromised at least two Tibetan community websites ... This JavaScript prompted visitors to download a fake security certificate, which, when opened, deployed the Cobalt Strike payload.2Jun 14, 2026
PlugXDaggerfly has used PlugX loaders as part of intrusions.2Mar 18, 2026
BITSAdminDaggerfly has used BITSAdmin to retrieve files from remote locations to run on victim systems.1Mar 18, 2026
MacMaDaggerfly is linked to the use and potentially development of MacMa through overlapping command and control infrastructure and shared libraries with other unique tools.1Mar 18, 2026

3 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

CVE-2023-290593CX DesktopApp Supply Chain CompromiseIn the wildEvidence1

This detection focuses on identifying vulnerable versions 18.12.407 and 18.12.416 of the 3CX desktop app... these specific versions have known vulnerabilities... CVE CVE-2023-29059

IOCS

Observables

7 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

7 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
splunk researchNews
May 12, 2026
Detection: Powershell Defender Threat Actions Set to Allow | Splunk Security Content

Listed as a threat actor associated with PowerShell execution behavior relevant to this detection.

Read more
splunk researchNews
Apr 22, 2026
Detection: PowerShell PInvoke Process Injection API Chain | Splunk Security Content

Listed as a threat actor associated with the PowerShell P/Invoke process injection API chain detection and related ATT&CK techniques.

Read more
splunk researchNews
Apr 20, 2026
Detection: PowerShell Environment Variable Execution | Splunk Security Content

Listed as a threat actor associated with PowerShell execution behavior relevant to this detection analytic.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows Cobalt Strike PowerShell Loader | Splunk Security Content

Listed as a threat actor associated with use of Cobalt Strike PowerShell loader patterns.

Read more
+180 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping81

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal8

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables7

Domains, IPs, and hashes tied to this actor, refreshed continuously.