A China-linked advanced persistent threat group has been linked to a sophisticated cyber espionage campaign that weaponized poisoned Domain Name System (DNS) responses to silently deploy its custom MgBot backdoor.
A recent analysis by Kaspersky shows that the Evasive Panda group is an ongoing threat actor that has been tracking multiple countries for over two years, since November 2022 through November 2024, in Türkiye, China, and India.
The operation was historically focused on carefully-watching selected potential victims in these countries, and has been attributed to Evasive Panda, a nickname for the actor that has also been used to identify this same actor, as well as two other groups that have also tracked similar activities throughout their operations. Evasive Panda is considered a veteran of cyber threats, having reportedly been active since at least 2012.
Adversary-in-the-Middle at the Network Level
Rather than relying on traditional phishing or exploit chains, Evasive Panda conducted adversary in the middle (AitM) attacks by manipulating DNS resolution. This allowed the attackers to redirect legitimate software update requests to infrastructure under their control—without alerting users or triggering browser warnings.
Many people were unaware that they had downloaded a malicious payload when they were trying to update trusted third-party apps; many of these updates were actually an attack vector. Kaspersky has noted this malware, where update lures impersonate applications like SohuVA, iQIYI Video, IObit Smart Defrag and Tencent QQ.
The most interesting case Kaspersky found involved a manipulation of the Domain Name Service (DNS) against p2p.hd.sohu.com, where DNS queries made by the legitimate updaters were being redirected to the attacker's server as they tried to obtain binaries from the expected sources.
Delivery of Multi-Stage Malware through DNS Poisoning
The DNS poisoning process deployed an initial loader which contained shellcode to download the second stage payload as an encrypted file. This file was presented as a PNG image and was downloaded from another legitimate domain (dictionary.com) whose DNS resolution was also poisoned. The attacker's DNS server had the ability to serve their responses to specific geolocations and ISPs of victims. This indicates a very targeted and well-planned operation.
Additionally, the HTTP request sent to the attacker's DNS server contained information about the victim's Windows version, allowing the attackers to customize their delivery of malware according to the version of the operating system in use. Although the exact techniques used to poison DNS responses are unknown, most researchers believe the attackers either compromised certain ISPs or had access to devices on the edges of the victims' networks (for example, routers, firewalls and etc.).
Custom Encryption and Stealthy Execution
The attackers delivered a secondary loader disguised as libpython2.4.dll which contained a legacy version of Python that was renamed. This loader was used as a means of decrypting and executing subsequent malware. The decrypted payload was stored in a file called perf.dat, and was protected by a custom hybrid encryption algorithm which combined DPAPI and RC5. This method ensured that the payload could only be decrypted on the machine that was infected with it and made the payload difficult to analyze during a forensic investigation or during an interception attempt.
Transport E-Monitoring Agent at Length
The final stage payload was a modified version of the transport E-monitoring Agent loaded into a valid svchost.exe program. The Agent is modular and allows for long-term monitoring and has functions such as
1. Collection of files
2. Collection of keystrokes
3. Monitor the clipboard
4. Audio Collection
5. Theft of browser credentials
These functions can allow the attacker to have continuous and quiet access to attacker-controlled systems for months or years.
A Familiar but Evolving Threat
This campaign reinforces Evasive Panda’s reputation as one of the most technically capable China aligned threat actors. The group has previously been linked to watering hole attacks, supply chain compromises, and macOS malware such as MACMA.
By abusing trusted infrastructure and DNS-level manipulation, Evasive Panda continues to evade conventional security controls while maintaining deep, persistent access to high value targets.
Source: The Hacker News
