China-sponsored Evasive Panda Introduces CloudScout Post-Compromise Toolset for Cloud Data Theft

The China-sponsored Evasive Panda hacking crew has introduced a new tool called CloudScout that is causing a stir in the cybersecurity world. This sleek and professional post-compromise toolset is designed to retrieve data from various cloud services using stolen web session cookies, according to researchers at ESET.

ESET uncovered CloudScout while investigating breaches in Taiwan, targeting a religious institution and a government entity. The tool is written in .NET and works seamlessly with MgBot, Evasive Panda’s proprietary malware framework. By using stolen cookies, CloudScout is able to access and infiltrate data from the cloud, targeting services like Google Drive, Gmail, and Outlook.

The sophistication of CloudScout showcases Evasive Panda’s technical capabilities and highlights the importance of cloud-stored documents, user profiles, and email in their espionage operations. The Chinese APT has been operating since at least 2012, focusing mainly on cyber espionage against civil society targets such as independence movements, religious and academic institutions, and supporters of democracy in China.

Evasive Panda has been known to consistently evolve its cyberattack techniques, with CloudScout being the latest iteration in their arsenal. By avoiding authentication checks like two-factor authentication and IP tracking, CloudScout is able to gather sensitive data and exfiltrate it using MgBot or another backdoor called Nightdoor.

Overall, the introduction of CloudScout by Evasive Panda demonstrates the group’s continued dedication to sophisticated cyber espionage operations, further solidifying their position as a significant threat in the cybersecurity landscape.