Chinese state-backed cyber espionage group Evasive Panda has deployed an advanced toolset named CloudScout, designed to steal session cookies from web browsers to gain unauthorized access to cloud services like Google Drive, Gmail, and Outlook. Initially identified by ESET researchers, CloudScout was used in cyberattacks targeting a Taiwanese government entity and a religious organization, underscoring Evasive Panda’s continued focus on political espionage in sensitive regions. By capturing session cookies, CloudScout can bypass standard login credentials, allowing seamless access to victims’ data stored in cloud services. This tactic, known as “pass-the-cookie,” has become a favored technique for high-level threat actors seeking discreet access to sensitive information.
CloudScout, implemented as an extension of Evasive Panda’s signature malware MgBot, operated covertly between May 2022 and February 2023. This toolset consists of ten modules, three of which are specifically crafted to siphon data from popular cloud services. By leveraging MgBot, Evasive Panda has successfully integrated CloudScout’s cookie-theft capabilities into its broader espionage activities. MgBot also facilitates the deployment of additional malware, such as Nightdoor, which enhances the group’s operational agility. According to ESET, CloudScout’s modules are built using C#, and include the ability to capture mail listings, extract email messages and attachments, and copy cloud-stored files with specific extensions.
At the core of CloudScout is a sophisticated package known as CommonUtilities, a custom-built collection of libraries enabling functions such as HTTP communications, cookie management, and data parsing. These libraries, including components named HTTPAccess and ManagedCookie, allow for highly tailored data retrieval operations. By using proprietary rather than open-source libraries, Evasive Panda gains greater control over its toolset, reducing its reliance on detectable third-party code and improving the resilience and stealth of its operations. For added data security, CloudScout compresses the stolen data into ZIP files for efficient exfiltration.
The emergence of CloudScout highlights the evolving techniques of Evasive Panda, also known as Bronze Highland, Daggerfly, and StormBamboo. Known for previous watering hole and supply chain attacks, the group continues to enhance its toolkit to counter new cybersecurity defenses. While this attack demonstrates the increasing sophistication of Chinese cyber operations, cloud service providers are introducing protective measures such as Google’s Device Bound Session Credentials (DBSC) and App-Bound Encryption, which could mitigate cookie-theft malware in the future. Meanwhile, Evasive Panda’s activities underscore the persistent threat state-backed cyber actors pose to sensitive institutions and critical infrastructure worldwide.
