🇨🇳

TAG-112

APT Group ETDA ✓

Also Known As

No alias recorded

Target Countries 1

Countries highlighted in red

United States

Sectors Targeted

Computer Systems Design Services 541512

Details

Origin 🇨🇳 CN

Last Updated 21 Apr 2026

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 8 entries

Bronze Highland SecureWorks

Evasive Panda Malwarebytes

Daggerfly Symantec

Storm Cloud Volexity

StormBamboo Volexity

TAG-102 Recorded Future

TAG-112 Recorded Future

Digging Taurus Palo Alto

Observed Target Countries 12

Based on ETDA data — countries highlighted in red

China Hong Kong India Macao Malaysia Myanmar Nigeria Philippines Taiwan Tibet Vietnam Africa

Description

(SecureWorks) BRONZE HIGHLAND has been observed using spearphishing as an initial infection vector to deploy the MgBot remote access trojan against targets in Hong Kong. Third party reporting suggests the threat group also targets India, Malaysia and Taiwan and leverages Cobalt Strike and KsRemote Android Rat. CTU researchers assess with moderate confidence that BRONZE HIGHLAND operates on behalf of China and has a remit covering espionage against domestic human rights and pro-democracy advocates and nations neighbouring China.

Tools Used 9

CloudScout Cobalt Strike GIMMICK Nightdoor Macma MgBot KsRemote RELOADEXT Living off the Land

Operations 8

2020 Evasive Panda APT group delivers malware via updates for popular Chinese software https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/

2021 Late Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/

2022 CloudScout: Evasive Panda scouting cloud services https://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/

2022-11 Daggerfly: APT Actor Targets Telecoms Company in Africa https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt-attacks-telecoms-africa-mgbot

2023 Mid StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/

2023-09 Evasive Panda leverages Monlam Festival to target Tibetans https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/

2024-05 China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike https://go.recordedfuture.com/hubfs/reports/cta-cn-2024-1112.pdf

2024-07 Daggerfly: Espionage Group Makes Major Update to Toolset https://symantec-enterprise-blogs.security.com/threat-intelligence/daggerfly-espionage-updated-toolset

Reports & References 3

https://www.secureworks.com/research/threat-profiles https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/ https://vb2020.vblocalhost.com/uploads/VB2020-43.pdf

ETDA Profile

Bronze Highland

Origin

China

First Seen 2012

Sponsor State-sponsored

Motivation

Information theft and espionage

View on ETDA APT Groups ↗