Evasive Panda Expands Silent Cyber Espionage Through DNS Poisoning and MgBot Malware + Video

Listen to this Post

Featured Image

🎯 Introduction

A quiet but deeply sophisticated cyber-espionage operation has been unfolding beneath the surface of global networks. Security researchers have uncovered a prolonged campaign linked to the China-aligned APT group known as Evasive Panda, revealing how modern espionage no longer relies on noisy exploits or mass infections. Instead, it hides inside trusted software updates, poisoned DNS responses, and memory-only malware designed to leave almost no trace. This operation, active for nearly two years, demonstrates how advanced threat actors are refining persistence, stealth, and precision to an alarming degree.

🧩 Overview of the Threat Actor and Campaign Scope

Kaspersky researchers identified Evasive Panda, also tracked as Daggerfly, Bronze Highland, or StormBamboo, conducting a highly targeted cyber-espionage campaign across Türkiye, China, and India. The attackers relied on DNS poisoning techniques to silently redirect victims toward malicious infrastructure, ultimately delivering the long-established MgBot backdoor.

🧩 A Decade-Old Group Still Evolving

Evasive Panda has been operational for over ten years and is known for its proprietary MgBot malware framework. Despite its age, the group continues to evolve. In 2023, Symantec documented MgBot enhancements during an intrusion at an African telecom operator, signaling ongoing development and experimentation.

🧩 Long-Term and Highly Targeted Operations

The observed campaign began in November 2022 and persisted until November 2024. Rather than spreading widely, the attackers focused on select victims, maintaining access for months or even years. Some compromised systems remained under attacker control for over a year.

🧩 Adversary-in-the-Middle via DNS Poisoning

At the heart of the operation was DNS poisoning. By tampering with DNS responses, the attackers redirected legitimate update requests to servers they controlled. Victims believed they were downloading authentic software updates, while in reality they were receiving malware.

🧩 Fake Updates Masquerading as Trusted Software

Initial infection commonly occurred through malicious executables impersonating software updates. One example was a fake SohuVA update package designed to appear identical to the legitimate installer. Similar tactics targeted iQIYI Video, IObit Smart Defrag, and Tencent QQ.

🧩 Stealthy Loaders and Memory-Only Execution

The initial loader, written in C++ using the Windows Template Library, appeared as a harmless sample project. Its true purpose was to decrypt configuration data, adapt execution based on the logged-in user, and prepare the environment for MgBot deployment entirely in memory.

🧩 Multi-Stage Malware Delivery

Execution followed a multi-stage process. The loader decrypted and ran shellcode that resolved Windows APIs through hashing, avoiding clear-text indicators. It searched for encrypted DAT files tied to the victim system, ensuring payloads were both unique and difficult to analyze.

🧩 Conditional Payload Retrieval

If local payload files were absent, the malware retrieved the next stage from the internet. DNS poisoning again ensured connections appeared legitimate, often impersonating well-known domains such as dictionary services. Payloads were customized based on system details sent in HTTP headers.

🧩 Secondary Loader Disguised as a DLL

Researchers also identified a secondary loader masquerading as a legitimate Windows library named libpython2.4.dll. It was executed via a signed binary, evteng.exe, allowing malware execution to blend seamlessly with trusted processes.

🧩 Persistent Encryption and Renaming

Payloads were repeatedly moved, renamed, decrypted, and re-encrypted using combinations of XOR, DPAPI, and RC5. This constant transformation bound malware to individual machines and significantly complicated forensic analysis.

🧩 Attribution to Evasive Panda

Despite introducing new loaders and delivery mechanisms, the attackers ultimately deployed the familiar MgBot implant. The tactics, techniques, and procedures strongly align with Evasive Panda’s historical operations, including supply-chain abuse and watering-hole style attacks.

🧩 A Campaign Built for Silence and Longevity

Kaspersky concluded that the operation reflects a well-funded and patient adversary. The emphasis on stealth, encrypted in-memory execution, and per-victim customization highlights a mature espionage program designed to avoid detection indefinitely.

What Undercode Say:

Evasive Panda’s latest campaign illustrates a clear shift from brute-force intrusion toward surgical cyber espionage. DNS poisoning, once considered a noisy and risky tactic, has been refined here into a near-invisible delivery channel when paired with legitimate software update mechanisms. This is not opportunistic hacking; it is infrastructure-level manipulation.

What stands out is not the novelty of MgBot, but its continued relevance. By preserving a proven backdoor while experimenting with new loaders, the group minimizes operational risk while still advancing its capabilities. This dual-track evolution reflects disciplined threat development rather than reckless innovation.

The heavy reliance on memory-only execution and system-bound encryption signals an awareness of modern defensive tooling. Endpoint detection platforms increasingly depend on file artifacts and behavioral signatures. Evasive Panda deliberately starves defenders of both.

Another critical insight lies in victim selection. Türkiye, China, and India are not random. These regions sit at the crossroads of geopolitical, economic, and technological interests. Long-term access to telecoms, enterprises, or government-adjacent systems offers strategic intelligence value far beyond immediate data theft.

The abuse of trusted update channels exposes a structural weakness in software ecosystems. Even fully patched systems become vulnerable when trust itself is compromised. This campaign reinforces that security is no longer just about vulnerabilities, but about integrity at every layer of distribution.

Evasive Panda’s patience is perhaps its most dangerous trait. Two years of continuous operation without mass exposure suggests careful operational security and constant internal monitoring. This is not a campaign seeking headlines; it is one designed to remain unseen.

Ultimately, this activity reflects a broader trend in state-aligned cyber operations. Espionage actors are investing in persistence, subtlety, and resilience rather than speed. For defenders, this means detection must shift from reactive alerts to long-term behavioral baselining and infrastructure integrity monitoring.

🔍 Fact Checker Results

✅ Evasive Panda is a long-running China-linked APT group with a history of MgBot usage.
✅ DNS poisoning and adversary-in-the-middle tactics were central to the campaign.
❌ No evidence suggests the campaign relied on zero-day exploits.

📊 Prediction

🔮 Evasive Panda is likely to introduce further modular loaders before replacing MgBot entirely.
🔮 DNS-based attack surfaces will see increased abuse as TLS-only defenses expand.
🔮 Similar long-term campaigns are likely ongoing but remain undiscovered due to their stealth.

▶️ Related Video (84% Match):

https://www.youtube.com/watch?v=2p8Lr16bAoc

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon