China-linked APT Evasive Panda used DNS poisoning to deliver the MgBot backdoor in targeted cyber-espionage attacks in Türkiye, China, and India.
Kaspersky researchers spotted the China-linked APT group Evasive Panda (aka Daggerfly, Bronze Highland, and StormBamboo) running a targeted cyber-espionage campaign using DNS poisoning to deliver the MgBot backdoor against victims in Türkiye, China, and India.
Evasive Panda has been active for at least a decade, the group is known for the use of the custom MgBot malware framework. In 2023, Symantec identified a Daggerfly intrusion at an African telecom operator, using new MgBot plugins. This highlights the group’s ongoing evolution in cyber espionage tactics.
The attackers conducted highly-targeted campaigns, which started in November 2022 and ran until November 2024.
The APT group carried out adversary-in-the-middle attacks, using stealthy loaders and encrypted malware components delivered via DNS responses. It deployed unique, hard-to-detect implants per victim and injected the MgBot backdoor into legitimate processes in memory, using DLL sideloading to remain hidden for long periods.
The campaign’s initial infection relies on fake software updates masquerading as trusted applications. Threat actirs distributed a malicious executable posing as a SohuVA update, likely delivered via DNS poisoning that redirected update requests to attacker-controlled servers.
“The malicious package, named sohuva_update_10.2.29.1-lup-s-tp.exe, clearly impersonates a real SohuVA update to deliver malware from the following resource” reads the report published by Kaspersky.
“There is a possibility that the attackers used a DNS poisoning attack to alter the DNS response of p2p.hd.sohu.com[.]cn to an attacker-controlled server’s IP address, while the genuine update module of the SohuVA application tries to update its binaries located in appdata\roaming\shapp\7.0.18.0\package.”
Similar fake updaters targeted other popular apps such as iQIYI Video, IObit Smart Defrag, and Tencent QQ, often executed by legitimate services to appear trustworthy.
The initial loader is written in C++ and uses the Windows Template Library and was disguised as a benign sample project. It decrypts and decompresses its configuration to reveal installation paths, resource domains, and encrypted MgBot settings. The malware adapts its behavior based on the logged-in user, decrypts all strings at runtime, and uses XOR and LZMA techniques to evade detection. The malicious code ultimately decrypts and executes shellcode in memory by changing memory permissions, enabling stealthy deployment of the MgBot backdoor without obvious artifacts.
The malware uses a multi-stage process to run its payload in a stealthy way. The first loader executes shellcode that hides API calls by resolving Windows functions through hashing instead of clear names. The shellcode looks for a special DAT file in its install folder. If it finds the file, it decrypts it with Windows CryptUnprotectData so only that machine can read it, then deletes the file to remove traces.
If the DAT file does not exist, the shellcode downloads the next stage from the web. Attackers poison DNS responses so victims reach attacker servers while thinking they connect to legitimate sites like dictionary.com. The shellcode sends the Windows version in HTTP headers so attackers can choose the right payload for that system. It then decrypts the downloaded data with XOR, changes memory permissions, and executes it.
The malware later encrypts the payload again and stores it as a new DAT file, often unique per victim, to evade detection.
Researchers found a secondary loader called libpython2.4.dll disguised as a legitimate Windows library. It runs through a signed executable, evteng.exe (an old python.exe), to load malware stealthily. The loader saves its path in status.dat, likely to support future updates. It then decrypts the next stage from perf.dat, which holds payloads fetched via DNS poisoning. The attackers repeatedly move and rename the payload, decrypt it with XOR, and re-encrypt it using a custom mix of DPAPI and RC5 to bind it to the infected system and evade analysis.
Kaspersky’s telemetry shows victims in Türkiye, China, and India, with some systems compromised for over a year. The attackers maintained the campaign for two years (Nov 2022–Nov 2024), showing strong persistence and significant resources.
The attack’s TTPs strongly point to the Evasive Panda group. Despite introducing a new loader, the attackers still deployed the long-used MgBot implant with updated configuration elements. As in past campaigns, Evasive Panda relied on stealthy delivery methods such as supply-chain compromise, adversary-in-the-middle, and watering-hole attacks to spread malware without attracting attention.
“The Evasive Panda threat actor has once again showcased its advanced capabilities, evading security measures with new techniques and tools while maintaining long-term persistence in targeted systems.” concludes the report. “Our investigation suggests that the attackers are continually improving their tactics, and it is likely that other ongoing campaigns exist. The introduction of new loaders may precede further updates to their arsenal.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China)
