China-Linked Evasive Panda Used DNS Poisoning to Spread MgBot Malware
A China-linked advanced persistent threat (APT) group has been tied to a stealthy cyber-espionage campaign that abused DNS poisoning techniques to deploy the MgBot backdoor against selected targets in Türkiye, China, and India.
According to Kaspersky, the activity was observed over a two-year period between November 2022 and November 2024 and has been attributed to the threat actor known as Evasive Panda, also tracked under the names Bronze Highland, Daggerfly, and StormBamboo. The group has reportedly been active since at least 2012.
Kaspersky researcher Fatih Şensoy explained that the attackers primarily relied on adversary-in-the-middle (AitM) attacks, selectively intercepting DNS requests to redirect victims toward malicious infrastructure. Instead of delivering malware directly, the attackers stored encrypted payload components on attacker-controlled servers, which were only served when specific DNS queries were triggered.
This approach allowed the group to deploy its signature MgBot backdoor while minimizing exposure and avoiding broad detection.
The campaign follows a pattern seen in earlier operations linked to Evasive Panda. In April 2023, ESET reported that the group may have used either a supply-chain compromise or DNS level interception to distribute trojanized versions of legitimate software, including Tencent QQ, during an attack against an international NGO in Mainland China.
More recently, in August 2024, cybersecurity firm Volexity disclosed that the same threat actor had compromised an unnamed internet service provider (ISP), using DNS poisoning to deliver malicious software updates directly to carefully selected victims.
These findings highlight the continued evolution of DNS-based attack techniques and reinforce concerns about infrastructure-level compromises being used for long-term cyber-espionage operations.
Evasive Panda is among several China-aligned threat groups that have increasingly relied on adversary-in-the-middle (AitM) DNS poisoning as a malware delivery method. In a recent report, ESET revealed it is currently monitoring at least 10 active Chinese threat actors using similar techniques for initial compromise or internal network movement. These groups include LuoYu, BlackTech, TheWizards APT, Blackwood, PlushDaemon, and FontGoblin, among others.
Kaspersky’s investigation shows that Evasive Panda frequently disguises its malicious payloads as legitimate software updates. One notable lure involved SohuVA, a video streaming application developed by Chinese tech company Sohu. In this case, the malware was served through the domain p2p.hd.sohu.com[.]cn, strongly suggesting the use of DNS manipulation to redirect victims to attacker-controlled infrastructure.
Researchers believe the attackers altered DNS responses so that update requests intended for SohuVA were silently redirected to malicious servers. While the application attempted to download legitimate update files from its usual directory path, the manipulated DNS resolution caused it to retrieve weaponized binaries instead.
Beyond SohuVA, Kaspersky identified additional campaigns where Evasive Panda employed trojanized update mechanisms for popular software, including Baidu’s iQIYI Video, IObit Smart Defrag, and Tencent QQ, expanding the reach of the operation across multiple trusted applications.
The infection chain ultimately leads to the execution of an initial loader that deploys shellcode on the compromised system. This shellcode then retrieves an encrypted second-stage payload, concealed within a PNG image file, once again using DNS poisoning this time abusing the legitimate domain dictionary[.]com to blend malicious traffic with normal web activity.
Researchers believe Evasive Panda tampered with the IP resolution of dictionary[.]com, forcing victim systems to connect to attacker-controlled servers instead of the legitimate website. The redirection appears to be selective, with DNS responses altered based on the victim’s geographic location and internet service provider, indicating a highly targeted operation.
At this stage, the exact method used to poison DNS traffic remains unclear. However, investigators suspect two likely scenarios. In one case, attackers may have compromised specific ISPs used by targeted victims and deployed malicious network implants on edge infrastructure. Alternatively, the operation could involve the exploitation of vulnerable routers or firewalls within victim environments to manipulate DNS resolution locally.
Further analysis shows that HTTP requests used to retrieve the second-stage shellcode include the victim’s Windows version number. This suggests the attackers are actively profiling infected systems and tailoring payload delivery based on the operating system, allowing them to optimize exploitation or evade detection. Notably, Evasive Panda has previously employed watering hole attacks to spread malware targeting Apple macOS systems, including a strain known as MACMA.
While the full functionality of the second-stage payload remains unknown, Kaspersky’s findings indicate that the initial shellcode decrypts and executes it in memory. The attackers are believed to generate a unique, encrypted second-stage payload for each victim, a tactic designed to reduce signature-based detection and complicate forensic analysis.
A key component of the campaign is a secondary loader, delivered as libpython2.4.dll, which abuses a renamed legacy version of python.exe through DLL sideloading. Once executed, this loader retrieves and decrypts the next-stage malware by reading data stored in a file located at C:\ProgramData\Microsoft\eHome\perf.dat. This file holds the decrypted payload obtained during the previous infection phase.
According to Kaspersky, the attackers relied on a multi-layered encryption workflow to protect this stage of the malware. Initially, the payload was XOR-encrypted before being decrypted and then re-encrypted using a customized hybrid approach that combines Microsoft’s Data Protection API (DPAPI) with the RC5 encryption algorithm. The final encrypted output was then written to perf.dat for later execution.
This tailored encryption strategy appears designed to hinder reverse engineering efforts. By binding the encrypted data to the specific system where it was created, the attackers effectively prevent analysts from extracting or decoding the payload outside the victim environment.
Once decrypted, the payload reveals a customized variant of MgBot, which the loader injects into a legitimate svchost.exe process to blend in with normal system activity. MgBot is a fully modular backdoor capable of stealing files, capturing keystrokes, monitoring clipboard content, recording audio, and extracting credentials from web browsers. These features allow it to operate covertly and maintain persistence on compromised systems for extended periods.
Kaspersky noted that this campaign once again highlights Evasive Panda’s technical sophistication, demonstrating the group’s ability to bypass security controls, deploy layered defenses against analysis, and sustain long-term access within carefully selected targets.
Comments
Post a Comment