Pulse Detail — Threat Intelligence

PULSE NAME

Evasive Panda scouting cloud services

WHITE Evasive Panda AlienVault 2024-10-28 Modified: 2024-11-27

IOCs

HIGH VOLUME

CloudScout is a post-compromise toolset used by Evasive Panda to target a Taiwanese government entity and religious organization between 2022 and 2023. The toolset can retrieve data from various cloud services using stolen web session cookies. It works with MgBot, Evasive Panda's malware framework, through a plugin. Three CloudScout modules were analyzed, targeting Google Drive, Gmail, and Outlook. The modules are deployed by MgBot plugins and use stolen cookies to access and exfiltrate cloud data. CloudScout's design includes a common architecture across modules and a core CommonUtilities package. The toolset demonstrates Evasive Panda's technical capabilities and focus on cloud-stored data in espionage operations.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1560.001 T1539 T1548.002 T1036.005 T1587.001 T1543.003 T1530 T1082 T1106 T1140 T1112 T1583.004 T1041 T1027 T1114.002 T1095 T1550.004 T1569.002

MALWARE FAMILIES

CloudScout MgBot Nightdoor

Indicators of Compromise (76)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	07df8d223f8a370cd703d177d7e93a36	—	2024-10-28
FileHash-MD5	13546e9d36effa74f971d90687b60ea6	—	2024-10-28
FileHash-MD5	4c504e0ef91fc66a6d6c4e3d6b10fa18	—	2024-10-28
FileHash-MD5	889a7ae42fb44390ab99af071dd3d6b0	—	2024-10-28
FileHash-MD5	9f27e0798271b590a01463d4543df2ea	—	2024-10-28
FileHash-MD5	ae5d92ef69074050a822f6669fe267b6	—	2024-10-28
FileHash-MD5	b2a36442e68848944365d3d1b8b7554a	—	2024-10-28
FileHash-MD5	be17d056039267973e36043c678a5d56	—	2024-10-28
FileHash-MD5	c02b6a7cc4f4da2d6956049b90ff53ba	—	2024-10-28
FileHash-MD5	d7a70062736c8d34823cfb835cf5c34c	—	2024-10-28
FileHash-MD5	d93af224d9e9a5172bb9ba5104e24a45	—	2024-10-28
FileHash-MD5	eef23748ed175760f9c70871252a11f3	—	2024-10-28
FileHash-MD5	f553ea019b79742eabcbacd387231623	—	2024-10-28
FileHash-SHA1	0781a2b6eb656d110a3a8f60e8bce9d407e4c4ff	—	2024-10-28
FileHash-SHA1	0a88c3b4709287f70ca2549a29353a804681ca78	—	2024-10-28
FileHash-SHA1	10fb52e4a3d5d6bda0d22bb7c962bde95b8da3dd	—	2024-10-28
FileHash-SHA1	1c7df9b0023fb97000b71c7917556036a48657c5	—	2024-10-28
FileHash-SHA1	22532a8c8594cd8a3294e68ceb56accf37a613b3	—	2024-10-28
FileHash-SHA1	2a96338bacce3bb687bdc274daad120f32668cf4	—	2024-10-28
FileHash-SHA1	2ac41ffcde6c8409153df22872d46cd259766903	—	2024-10-28
FileHash-SHA1	348730018e0a5554f0f05e47bba43dc0f55795ac	—	2024-10-28
FileHash-SHA1	3dd958ca6eb7e8f0a0612d295453a3a10c08f5fe	—	2024-10-28
FileHash-SHA1	3eee78ede82f6319d094787f45afd9bfb600e971	—	2024-10-28
FileHash-SHA1	4a5bcdaac0bc315edd00bb1fccd1322737bcbeeb	—	2024-10-28
FileHash-SHA1	5273b45c5eabe64edbd0b79f5d1b31e2e8582324	—	2024-10-28
FileHash-SHA1	52fe3fd399ed15077106bae9ea475052fc8b4acc	—	2024-10-28
FileHash-SHA1	547bd65eee05d744e075c5e12fb973a74d42438f	—	2024-10-28
FileHash-SHA1	5748e11c87aeab3c19d13db899d3e2008be928ad	—	2024-10-28
FileHash-SHA1	57fd698ccb5cb4f90c014efc6754599e5b0fbe54	—	2024-10-28
FileHash-SHA1	59aa9be378371183ed419a0b24c019ccf3da97ec	—	2024-10-28
FileHash-SHA1	5e5274c7d931c1165aa592cdc3bfceb4649f1ff7	—	2024-10-28
FileHash-SHA1	621e2b50a979d77ba3f271fab94326cccbc009b4	—	2024-10-28
FileHash-SHA1	65b03630e186d9b6adc663c313b44ca122ca2079	—	2024-10-28
FileHash-SHA1	67028aeb095189fdf18b2d7b775b62366ef224a9	—	2024-10-28
FileHash-SHA1	70b743e60f952a1238a469f529e89b0eb71b5ef7	—	2024-10-28
FileHash-SHA1	77dbcdface92513590b7c3a407be2717c19094e0	—	2024-10-28
FileHash-SHA1	7a3fc280f79578414d71d70609fbdb49ec6ad648	—	2024-10-28
FileHash-SHA1	7c3fd8ee5d660bbf43e423818c6a8c3231b03817	—	2024-10-28
FileHash-SHA1	812124b84c5ea455f7147d94ec38d24bdf159f84	—	2024-10-28
FileHash-SHA1	82b99ad976429d0a6c545b64c520be4880e1e4b8	—	2024-10-28
FileHash-SHA1	84f6b9f13cdcd8d9d15d5820536bc878cd89b3c8	—	2024-10-28
FileHash-SHA1	8591a7ee00fb1bb7cc5b0417479681290a51996e	—	2024-10-28
FileHash-SHA1	8a389afe1f85f83e340ca9dfc0005d904799d44c	—	2024-10-28
FileHash-SHA1	8a98a023164b50dec5126eda270d394e06a144ff	—	2024-10-28
FileHash-SHA1	8eaa213ae4d482938c5a7ec523c83d2c2e1e8c0e	—	2024-10-28
FileHash-SHA1	93c1c8ad2af64d0e4c132f067d369ecbebae00b7	—	2024-10-28
FileHash-SHA1	944b69b5e225c7712604efc289e153210124505c	—	2024-10-28
FileHash-SHA1	970babe49945b98efada72b2314b25a008f75843	—	2024-10-28
FileHash-SHA1	9b6a473820a72111c1a38735992b55c413d941ee	—	2024-10-28
FileHash-SHA1	9d1ecbbe8637fed0d89fca1af35ea821277ad2e8	—	2024-10-28
FileHash-SHA1	a1ca41fdb61f03659168050de3e208f0940f37d8	—	2024-10-28
FileHash-SHA1	a942099338c946fc196c62e87942217bf07fc5b3	—	2024-10-28
FileHash-SHA1	ad6c84859d413d627ac589aedf9891707e179d6c	—	2024-10-28
FileHash-SHA1	b3556d1052bf5432d39a6068ccf00d8c318af146	—	2024-10-28
FileHash-SHA1	c0575af04850eb1911b000bf56e8d5e9362a61e4	—	2024-10-28
FileHash-SHA1	c058f9fe91293040c8b0908d3dafc80f89d2e38b	—	2024-10-28
FileHash-SHA1	c70c3750ac6b9d7b033addef838ef1cc28c262f3	—	2024-10-28
FileHash-SHA1	d4938cb5c031ec7f04d73d4e75f5db5c8a5c04ce	—	2024-10-28
FileHash-SHA1	d60ee17418cc4202bb57909bec69a76bd318eeb4	—	2024-10-28
FileHash-SHA1	e5214ab93b3a1fc3993ef2b4ad04dfcc5400d5e2	—	2024-10-28
FileHash-SHA1	f0f8f60429e3316c463f397e8e29e1cb2d925fc2	—	2024-10-28
FileHash-SHA1	fa44028115912c95b5efb43218f3c7237d5c349f	—	2024-10-28
FileHash-SHA1	fa78e89ab95a0b49bc0663f7ab33aaf1a924c560	—	2024-10-28
FileHash-SHA256	174a62201c7e2af67b7ad37bf7935f064a379f169cf257ca16e912a46ecc9841	—	2024-10-28
FileHash-SHA256	2c0cfe2f4f1e7539b4700e1205411ec084cbc574f9e4710ecd4733fbf0f8a7dc	—	2024-10-28
FileHash-SHA256	3e92f35c3818be05033b9f6716fe4fc30d5a68f6e412422ad7c68c85d4451ae4	—	2024-10-28
FileHash-SHA256	419311167faeee927763b67ce00dbd4491f18bb0dbac9236621faec9e6422fa9	—	2024-10-28
FileHash-SHA256	62b72607762e6b67e5bb66a5febadda72ff4fce88f996861b978a58cd418eeb1	—	2024-10-28
FileHash-SHA256	73d50eabd0b377e22210490a06ecf2441191558d97ce14ba79517c0e7696318b	—	2024-10-28
FileHash-SHA256	81044813cf55c2398d7e2179e75c06ed8bcbcfc0328f9e0e2cc0b67e2e3d2e4a	—	2024-10-28
FileHash-SHA256	88b0ee7273a91d92c3570dbc67896e15b53ca118d2b45e49a3489605cc26bf24	—	2024-10-28
FileHash-SHA256	a0fe56ec6eb5cc433fdc9e3537e49b45c90ffe8df409a0f1b5844bc253d209ba	—	2024-10-28
FileHash-SHA256	d7468510a0123f4ecea9cb7c1636a024d3ab96cc856439a924349b00618b87ae	—	2024-10-28
FileHash-SHA256	d9eec27bf827669cf13bfdb7be3fdb0fdf05a26d5b74adecaf2f0a48105ae934	—	2024-10-28
FileHash-SHA256	eb540cf9833ab8bd901b48ef258c0e14eb91fb3118fa967a40cd64d8ab417fa9	—	2024-10-28
FileHash-SHA256	ee6a3331c6b8f3f955def71a6c7c97bf86ddf4ce3e75a63ea4e9cd6e20701024	—	2024-10-28

References (1)

↗ https://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/