Categories: Cyber AttackMalware

Chinese Hackers Using Shared Framework To Create Multi-Platform Malware

Shared frameworks are often prone to hackers’ abuses as they have been built into various applications, which offer a range of systems that can be exploited at the same time.

By attacking shared framework vulnerabilities, hackers can get into many apps and information stores, which escalates their malicious acts in terms of efficiency and scale.

Cybersecurity researchers at Symantec recently discovered that Chinese hackers have been actively abusing the Shared Framework to create Windows, Linux, macOS, and Android malware.

Chinese Hackers Using Multi-Platform Malware

The malware toolkit of the Daggerfly espionage group has been refreshed by adding new versions of already known threats and a previously unattributed macOS backdoor.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

The latest attacks against the targets in Taiwan and a US NGO in China are examples of how the group’s tactics have evolved, including the exploitation of an Apache HTTP Server vulnerability.

This development shows that Daggerfly continues to evolve and remains involved in international and domestic spying operations, extending its decade-long history in the cyber field.

Macma is a macOS backdoor that was first documented in 2021. It has been active since 2019 and is continuously developing.

Watering hole attacks in Hong Kong were the initial distribution channels through which it exploited loopholes to install itself into macOS devices.

According to a recent Symantec analysis of different Macma variations, its functions change meaningfully with time, consequently comprising newly updated modules, improved file paths, heightened logging, and other features such as better screen-capture capabilities.

These ongoing developments depict a relentless threat by the Macma backdoor, which has a proven ability of targeting macOS systems.

New evidence links the Macma macOS backdoor to the Daggerfly threat group. Symantec discovered shared command-and-control infrastructure between Macma variants and a MgBot dropper. 

While Macma and other known Daggerfly malware share code from a common library, which provides functionality across multiple platforms. 

This shared codebase and infrastructure strongly suggest that Macma is part of the Daggerfly toolkit, marking a significant development in attributing this previously unaffiliated backdoor to a specific advanced persistent threat group.

Daggerfly’s toolkit now includes a sophisticated Windows backdoor called Suzafk (aka Nightdoor or NetMM). 

This multi-staged malware uses TCP or OneDrive for command and control, employs anti-analysis techniques, and shares code with other Daggerfly tools. 

Suzafk’s capabilities include remote command execution, persistence via scheduled tasks, and encrypted configuration storage. 

This addition, along with evidence of malware targeting various operating systems, including Android and Solaris, demonstrates Daggerfly’s advanced capabilities and adaptability in conducting espionage activities across multiple platforms.

IoCs

IoCs (Source – Symantec)

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…

12 hours ago

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…

12 hours ago

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million…

13 hours ago

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect servers…

14 hours ago

Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025

The healthcare sector has emerged as a prime target for cyber attackers, driven by the…

15 hours ago

SysAid ITSM Vulnerabilities Enables Pre-Auth Remote Command Execution

Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution, enabling…

15 hours ago