018

Evasive Panda (aka Bronze Highland/Daggerfly/StormBamboo) used a previously undocumented .NET post-compromise toolset named CloudScout between May 2022 and February 2023 to exfiltrate data from Google Drive, Gmail, and Outlook by stealing browser session cookies (pass-the-cookie). CloudScout comprises multiple C# modules and a CommonUtilities package, is deployed as an MgBot plugin (with exfiltration via MgBot or Nightdoor), and complements the actor's diverse initial access methods—including supply-chain compromise and DNS poisoning—enabling targeted espionage against Taiwanese government and religious entities.