A China-linked advanced persistent threat group, known as Evasive Panda, has been attributed to a highly targeted cyber espionage campaign using DNS poisoning to deliver its MgBot backdoor to victims in Türkiye, China, and India. Kaspersky reported the activity spanned from November 2022 to November 2024 and linked the attacks to a group also tracked as Bronze Highland, Daggerfly, and StormBamboo, which has been active since at least 2012. The campaign employed adversary-in-the-middle attacks, dropping loaders into specific locations and storing encrypted malware components on attacker-controlled servers, which were accessed through manipulated DNS responses to targeted websites.
Evasive Panda’s DNS poisoning methods have been observed in previous incidents. In April 2023, ESET noted that the group used either a supply chain compromise or AitM attack to deliver trojanized versions of legitimate applications like Tencent QQ to an international NGO in Mainland China. In August 2024, Volexity reported that the group compromised an unnamed internet service provider through DNS poisoning to push malicious updates to selected targets. The group has become one of several China-aligned threat clusters leveraging AitM poisoning techniques for initial access or lateral movement, alongside other actors such as LuoYu, BlackTech, TheWizards APT, Blackwood, PlushDaemon, and FontGoblin.
In documented attacks, Evasive Panda has disguised malware as updates for legitimate third-party software such as SohuVA, iQIYI Video, IObit Smart Defrag, and Tencent QQ. The malicious updates were served from domains like p2p.hd.sohu.com[.]cn, likely through DNS poisoning that redirected genuine update requests to attacker-controlled IP addresses. Victims’ systems, based on their geographic location or ISP, would resolve legitimate domains like dictionary[.]com to malicious servers, enabling the deployment of an initial loader that executes shellcode and retrieves encrypted second-stage payloads in PNG format. Kaspersky researchers highlighted that these payloads were uniquely encrypted for each victim to evade detection.
A secondary loader, libpython2.4.dll, relying on a renamed older python.exe, then downloads and decrypts the next-stage malware stored in C:\ProgramData\Microsoft\eHome\perf.dat. Kaspersky found the attackers used a custom hybrid encryption method combining Microsoft’s DPAPI and RC5 to encrypt and save payloads, restricting decryption to the specific system of origin. Once decrypted, the MgBot variant is injected into legitimate svchost.exe processes. This modular implant can log keystrokes, harvest files, record audio, capture clipboard data, and steal browser credentials, maintaining stealthy and persistent access over long periods. Kaspersky concluded that Evasive Panda’s advanced capabilities continue to evade security measures while sustaining long-term persistence in targeted systems.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
