Trending

ee-track">
Link copied!

Table of Contents

Bronze Highland

Threat Actor Profile: Bronze Highland 

Bronze Highland is a state-sponsored cyber threat group operating under the suspected direction of Chinese intelligence services. With a history of targeting governments, NGOs, and civil society across the Asia-Pacific and beyond, the group has built a reputation for combining technical precision with a politically charged mission. Bronze Highland has also been identified by several aliases, including Storm Cloud, Daggerfly, StormBamboo, and Evasive Panda. 

As of mid-July 2025, the group remains active, with observed campaigns involving both Windows and Android platforms. Their primary toolset includes custom malware strains, remote access trojans (RATs), and malicious browser extensions, all leveraged in ongoing espionage efforts. 

Target Profile and Geographic Focus 

image 31
Cyble Vision Threat Library (Source: Cyble Vision)      

Bronze Highland’s targeting reflects strategic alignment with Chinese geopolitical interests. Their victims span across: 

  • Asia-Pacific: Hong Kong, India, Malaysia, Macao, Taiwan, Myanmar, Vietnam, and the Philippines 
  • Africa: Nigeria, South Africa, Central African Republic 
  • Domestic Entities: Surprisingly, some campaigns have also affected networks within mainland China, likely involving third-party surveillance or misattribution. 

Key sectors under attack include telecommunications, activist organizations, media groups, and political movements. Human rights advocates and pro-democracy figures in Hong Kong have been consistent targets, underscoring the group’s role in domestic information control and regional influence campaigns. 

A Closer Look at Tactics and Tools

 

image 33
Malware Families Used by Bronze Highland (Source: Cyble Vision)    

Bronze Highland favors spear-phishing as a primary intrusion vector. In one common scenario, the group sends targeted emails to pro-democracy activists, containing seemingly innocuous attachments. Once opened, these files deploy malware such as the MgBot trojan, granting attackers remote access to compromised systems. 

Notable Malware Families Used 

1. GIMMICK 

Originally attributed to Storm Cloud, GIMMICK is a robust, multi-platform backdoor capable of evading detection through public cloud command-and-control (C2) infrastructure. It supports both Windows (written in .NET and Delphi) and macOS (Objective-C), making it highly versatile. Regardless of platform, its behaviors, such as encrypted C2 traffic and modular payload loading—remain consistent. 

2. KsRemote (Android/Trojan.Spy.AndroRat.KSRemote) 

This Android-based RAT has been used to infiltrate smartphones of targeted individuals. Delivered via malicious apps containing the file ksremote.jar, the malware enables extensive surveillance functions. These include: 

  • Activating microphones and cameras 
  • Tracking GPS location 
  • Accessing contacts, call logs, SMS, and browser history 
  • Sending messages from infected devices 

3. RELOADEXT 

RELOADEXT is a malicious Google Chrome extension used for data exfiltration and potentially credential harvesting. This malware has been deployed post-compromise on macOS devices and may serve as a persistence mechanism or a lateral movement tool. Its full capability remains under investigation, but its deployment on consumer-grade systems suggests efforts to stay below the radar of enterprise-grade detection systems. 

4. Macma 

While less is known about Macma, it is believed to be another custom implant associated with Bronze Highland. Its functions are not fully disclosed, but it likely serves in surveillance or lateral movement within compromised networks. 

Execution and Persistence Techniques 

Bronze Highland actors are proficient in cross-platform execution methods. Common techniques include: 

  • Command-line scripting via PowerShell, Unix shell, and Windows Command Shell 
  • Use of native APIs to create or modify system processes 
  • Windows service manipulation, often with tools like PsExec or sc.exe 
  • Obfuscation and process injection, including PE injection and memory manipulation 

For persistence, attackers frequently tamper with the Windows Registry, create or modify services, and install malicious browser components like RELOADEXT. Tools such as “certutil” or scripting engines are often used to decode or execute payloads directly on infected systems. 

Privilege escalation is achieved by abusing legitimate system processes or service configurations, often enabling attackers to maintain elevated access for extended periods without detection. 

Espionage Motives and Impact 

The overarching mission of Bronze Highland appears to center around political surveillance, counter-activism, and regional espionage. Their operations consistently target entities that challenge the Chinese Communist Party’s narrative or authority, such as journalists, non-governmental organizations, and democratic institutions. 

While many campaigns are covert, the downstream impact includes: 

  • Compromised communications of pro-democracy leaders. 
  • Exfiltration of sensitive political and organizational documents. 
  • Long-term intelligence gathering in civil society. 

Conclusion 

Bronze Highland exemplifies the modern evolution of cyber-espionage—stealthy, multi-platform, and politically driven. Their use of custom malware across Windows, macOS, and Android reflects a strategic focus on long-term surveillance and regional influence. 

To counter threats like Bronze Highland, organizations need more than traditional security; they need intelligence-led protection. Cyble delivers exactly that through a unified platform combining real-time threat monitoring, vulnerability management, dark web surveillance, and AI-powered analytics. From executive protection to cloud security, Cyble equips businesses with the tools to detect, respond, and stay ahead of nation-state actors. 

Stay prepared. Stay protected. Talk to Cyble today

Defense and Mitigation Strategies 

  • Strengthen Email Security: Use advanced anti-phishing tools and train users to spot suspicious emails and attachments. 
  • Deploy Endpoint Detection: Monitor for unusual activities like process injection, PowerShell misuse, and service changes on all devices. 
  • Keep Systems Patched: Regularly update OS and software to close vulnerabilities exploited by the group. 
  • Enforce Least Privilege Access: Limit admin rights and monitor account and service changes to prevent privilege escalation. 
  • Use Multi-Factor Authentication: Protect critical accounts to block unauthorized access even if credentials are stolen. 
  • Audit Persistence Mechanisms: Regularly check scheduled tasks, registry keys, and services for malicious modifications. 
  • Secure Mobile Devices: Implement mobile device management and restrict unauthorized app installations. 
  • Leverage Threat Intelligence: Stay informed with real-time feeds and dark web monitoring to detect and respond early. 

MITRE ATT&CK Techniques Associated with Bronze Highland 

image 32
MITRE ATT&CK Techniques (Source: Cyble Vision)
  • Command and Scripting Interpreter (T1059): Abuse built-in interpreters (PowerShell, Unix Shell, Windows Command Shell) to run commands/scripts. 
  • Windows Command Shell (T1059.003): Use Windows CMD for executing commands locally or remotely (e.g., via SSH). Batch files automate tasks; used for repetitive or multi-system commands. 
  • Native API (T1106): Call OS-level APIs to execute processes or commands (e.g., CreateProcess, fork) and APIs accessed via syscalls or user-mode libraries (e.g., .NET, macOS Cocoa). 
  • System Services (T1569): Abuse local or remote system services/daemons to execute malicious code. 
  • Service Execution (T1569.002): Use Windows Service Control Manager (SCM) to manage and run malicious services. Tools like PsExec and sc.exe enable remote service execution. 
  • Create or Modify System Process (T1543): Create/modify services, daemons, or agents for persistence and elevated execution. May run with SYSTEM/root privileges to escalate access. 
  • Windows Service (T1543.003): Modify service configs or create new services to run malicious payloads at startup. 
  • Obfuscated Files or Information (T1027): Encrypt, encode, or compress files to avoid detection and Use password-protected archives or split payloads into benign files. 
Discover how we help proactively defend against evolving threats with Gen 3 intelligence. Request a Demo today!

Share Post:

Subscribe to Cyble

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Related Topics

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams