Iron Tiger, also known as APT27 or Emissary Panda, is an advanced threat actor that has been doing espionage for more than a decade, targeting multiple sensitive industries worldwide.
In the past months, we noticed the threat actor enhancing its toolkit to target all three major platforms – Windows, MacOS and Linux. We found out they obtained access to the backend of a little-known chat application and modified the installers to deliver a remote access tool named rshell to users of the Mac platform. We also observed a new version of the SysUpdate malware family, where in addition to porting the malware to the Linux platform, the threat actor added features such as DNS tunneling for C&C communication protocol.