Researchers at ESET detailed a previously unknown toolset, dubbed ‘CloudScout’, linked to China-aligned threat actor Evasive Panda. The group, also known as Bronze Highland, Daggerfly, or StormBamboo, has reportedly used this toolset to infiltrate and extract sensitive data from Taiwanese organizations. CloudScout has been deployed to target both a government entity and a religious institution in Taiwan from 2022 to 2023.
CloudScout enables the theft of data stored on popular cloud services, including Google Drive, Gmail, and Outlook, by hijacking web session cookies. The threat actor has created three distinct .NET modules that are part of CloudScout’s infrastructure. The modules access and retrieve specific data like email content, cloud-stored documents, and other sensitive information from compromised cloud services via specialized web requests and HTML parsers.
Once exfiltration is complete, the modules execute a full cleanup, deleting all evidence of their operation except for the files to be extracted. The modules then either terminate or await a new configuration file to start the data collection process again.
The first attack using CloudScout took place in May 2022 when Evasive Panda deployed it alongside the MgBot backdoor and Nightdoor implant within the network of a Taiwanese religious organization. ESET also detected the CloudScout modules and the Nightdoor implant at a suspected Taiwanese government entity.