Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

MgBot

MgBot is a backdoor/implant associated uniquely in the provided content with the China-linked threat actor Daggerfly since at least 2012. The content also references reporting that Evasive Panda delivered MgBot via DNS poisoning, then executed the implant in memory by injecting it into legitimate processes and using DLL sideloading with a signed executable.

High-confidence capabilities described in the content include collection and credential theft from multiple sources. MgBot includes modules to collect information on Active Directory domain accounts; identify local users and administrators; gather information from USB thumb drives and CD-ROMs according to provided criteria; perform ARP scans of locally connected systems; and perform HTTP and server service scans. It can capture clipboard data and capture input and output audio streams from infected devices.

For credential and session theft, MgBot includes modules to steal stored credentials from Outlook and Foxmail, steal credentials from browsers and applications including Chrome, Opera, Firefox, Foxmail, QQBrowser, FileZilla, and WinSCP, and steal cookies from Firefox, Chrome, and Edge. The content further associates MgBot with credential access and collection behaviors including OS credential dumping, keylogging, clipboard collection, and web session cookie theft.

Targeting information is limited in the content, but one cited report states MgBot activity targeted South Korea, while Daggerfly is the threat actor most directly tied to MgBot usage. No specific standalone IOCs are provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Daggerfly

Daggerfly is uniquely associated with the use of MgBot since at least 2012.

via mitre attackattack.mitre.org
MITRE ATT&CK

Techniques & procedures

22 distinct techniques documented for this family, organized by ATT&CK tactic.

Credential Access

6 techniques
T1003OS Credential DumpingEvidence2

OS Credential Dumping

T1056.001KeyloggingEvidence2

Input Capture: Keylogging

T1539Steal Web Session CookieEvidence3

"APT42 has used custom malware to steal login and cookie data from common browsers." / "...extracts the web session cookie and sends it to the C2 server." / "...stole Chrome browser cookies by copying the Chrome profile directories of targeted users."

T1555Credentials from Password StoresEvidence3

Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles... APT33 has used a variety of publicly available tools like LaZagne to gather credentials... Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI.

T1555.003Credentials from Web BrowsersEvidence5

The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.

T1555.005Password ManagersEvidence1

Evilnum can collect email credentials from victims... Malteiro has obtained credentials from mail clients via NirSoft MailPassView... MgBot includes modules for stealing stored credentials from Outlook and Foxmail email client software... PLEAD has the ability to steal saved passwords from Microsoft Outlook.

Discovery

10 techniques
T1018Remote System DiscoveryEvidence3

During the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered systems over LAN connections. OT systems were visible from the IT network as well, giving adversaries the ability to discover operational assets.

T1033System Owner/User DiscoveryEvidence3

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.

T1046Network Service DiscoveryEvidence2

The content repeatedly describes threat actors and malware performing network scanning, port scanning, service enumeration, OS fingerprinting, and identifying open ports/services across victim environments.

T1057Process DiscoveryEvidence3

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

T1069Permission Groups DiscoveryEvidence2

The content notes checks for whether the current user is an administrator or privileged, including 'AsyncRAT can check if the current user of a compromised system is an administrator,' 'Gelsemium has the ability to distinguish between a standard user and an administrator,' and 'Wizard Spider has used whoami to identify the local user and their privileges.'

T1083File and Directory DiscoveryEvidence1

BADNEWS crawls the victim's local drives and collects documents with selected extensions; Machete searches the file system for files of interest; Rover searches for files on local drives based on a predefined list of file extensions.

T1087Account DiscoveryEvidence2

Examples include 'Caterpillar WebShell can obtain a list of user accounts from a victim's machine,' 'DRATzarus can obtain a list of users from an infected machine,' 'Woody RAT can retrieve a list of user accounts and usernames from an infected machine,' and 'TrickBot can identify the user and groups the user belongs to on a compromised host.'

T1087.001Local AccountEvidence1

Account Discovery: Local Account

T1087.002Domain AccountEvidence2

AdFind can enumerate domain users. APT41 used built-in net commands to enumerate domain administrator users. BloodHound can collect information about domain users, including identification of domain admin accounts.

T1482Domain Trust DiscoveryEvidence2

Domain Trust Discovery

Collection

6 techniques
T1005Data from Local SystemEvidence4

The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.

T1025Data from Removable MediaEvidence2

AppleSeed can find and collect data from removable media devices. APT28 backdoor may collect the entire contents of an inserted USB device. Aria-body has the ability to collect data from USB devices. BADNEWS copies files with certain extensions from USB devices to a predefined directory.

T1056.001KeyloggingEvidence2

Input Capture: Keylogging

T1115Clipboard DataEvidence3

Agent Tesla can steal data from the victim’s clipboard. APT38 used a Trojan called KEYLIME to collect data from the clipboard. APT39 has used tools capable of stealing contents of the clipboard.

T1123Audio CaptureEvidence2

Audio Capture

T1213.002SharepointEvidence1

Data from Information Repositories: Databases

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1

...has used BITSAdmin to retrieve files from remote locations to run on victim systems... Ingress Tool Transfer

ACTIVITY FEED

Recent activity

40 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

40 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Backdoor delivered via DNS poisoning in a targeted espionage campaign (victims in Türkiye, China, India).

Read more
securityaffairsNews
Jan 4, 2026
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 78

MgBot is a backdoor malware delivered via DNS poisoning by the Evasive Panda APT group.

Read more
securityaffairsNews
Jan 4, 2026
Security Affairs newsletter Round 557 by Pierluigi Paganini – INTERNATIONAL EDITION

Backdoor malware used in cyberespionage campaigns, delivered via DNS poisoning techniques.

Read more
huntio blogNews
Dec 31, 2025
SIGNALS WEEKLY: Poisoned DNS Updates + Aflac’s 22.65M Aftershock (and MongoBleed)

MgBot is a modular remote access trojan (RAT) used for espionage, featuring keylogging, file theft, command execution, and is delivered via sophisticated DNS poisoning and fake update mechanisms.

Read more
+36 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping22

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.