A China-based advanced persistent threat (APT) group has been tied to a focused cyber-espionage operation in which the attackers tampered with Domain Name System (DNS) responses to deliver their MgBot backdoor, with observed targets in Türkiye, China, and India.

The campaign, according to Kaspersky, was active between November 2022 and November 2024. It’s attributed to the threat group Evasive Panda, also tracked as Bronze Highland, Daggerfly, and StormBamboo, and assessed to have been operating since at least 2012.

“The group mainly performed adversary-in-the-middle (AitM) attacks on specific victims,” Kaspersky researcher Fatih Şensoy said in a detailed analysis. “These included techniques such as dropping loaders into specific locations and storing encrypted parts of the malware on attacker-controlled servers, which were resolved as a response to specific website DNS requests.”

This is not the first time Evasive Panda’s DNS poisoning capabilities have been highlighted. In April 2023, ESET reported that the actor likely executed either a supply chain compromise or an AitM attack to distribute trojanized versions of legitimate applications such as Tencent QQ, in an intrusion against an international non-governmental organization (NGO) in Mainland China.

In August 2024, Volexity documented how the same threat actor breached an unnamed internet service provider (ISP) using a DNS poisoning attack to push malicious software updates to selected downstream customers.

Evasive Panda is one of several China-aligned clusters that have repeatedly used AitM and DNS poisoning techniques for malware delivery. In research published last month, ESET stated it is tracking 10 active China-linked groups abusing this approach for initial access or lateral movement, including LuoYu, BlackTech, TheWizards APT, Blackwood, PlushDaemon, and FontGoblin.

In the activity described by Kaspersky, the threat actor relied on fake update flows that impersonate updates for third-party software such as SohuVA, a video streaming application from Sohu. The rogue update is sourced from the domain “p2p.hd.sohu.com[.]cn,” strongly suggesting DNS poisoning of the legitimate service.

“There is a possibility that the attackers used a DNS poisoning attack to alter the DNS response of p2p.hd.sohu.com[.]cn to an attacker-controlled server’s IP address, while the genuine update module of the SohuVA application tries to update its binaries located in appdata\roaming\shapp\7.0.18.0\package,” Şensoy explained.

The Russian cybersecurity vendor said it also uncovered additional activity in which Evasive Panda used a spoofed updater mechanism for Baidu’s iQIYI Video, as well as IObit Smart Defrag and Tencent QQ.

This access chain ultimately delivers an initial loader that executes shellcode, which then retrieves a second-stage encrypted shellcode embedded within a PNG image file. This, again, is obtained via DNS poisoning, this time abusing the legitimate domain dictionary[.]com.

Evasive Panda is reported to have altered the IP address returned for dictionary[.]com, causing victim machines to resolve that hostname to attacker-controlled infrastructure, with responses tailored based on geography and victim ISP.

The exact mechanism used to poison the DNS traffic is still unknown. Two working hypotheses are that the attackers either compromised selected ISPs to deploy a network implant on edge devices, or directly compromised a router or firewall in the victim environment to manipulate DNS responses.

The HTTP request used to retrieve the second-stage shellcode also passes the current Windows version value, likely allowing the actor to target specific operating system releases and adjust payloads or delivery logic accordingly. Evasive Panda has previously used watering hole techniques to distribute an Apple macOS malware referred to as MACMA.

While the exact capabilities of the second-stage payload remain undetermined, Kaspersky’s analysis indicates that the first-stage shellcode decrypts and executes the downloaded component. It’s believed the actor generates a distinct encrypted second-stage shellcode file per victim to reduce cross-environment detection and make correlation harder for defenders.

A key element of the intrusion chain is a secondary loader (“libpython2.4.dll”) that depends on a renamed, legacy version of “python.exe” for DLL sideloading. Once started, it downloads and decrypts the subsequent malware stage by reading the contents of “C:\ProgramData\Microsoft\eHome\perf.dat,” which stores the encrypted payload obtained in the prior step.

“It appears that the attacker used a complex process to obtain this stage from a resource, where it was initially XOR-encrypted,” Kaspersky said. “The attacker then decrypted this stage with XOR and subsequently encrypted and saved it to perf.dat using a custom hybrid of Microsoft’s Data Protection Application Programming Interface (DPAPI) and the RC5 algorithm.”

This non-standard encryption scheme is intended to hinder reverse engineering and incident response by ensuring the data can only be decrypted on the original host, limiting opportunities to intercept, replay, or perform offline analysis of the malicious payload.

The decrypted component is an MgBot variant that the secondary loader injects into a legitimate “svchost.exe” process. MgBot is a modular implant capable of collecting files, logging keystrokes, capturing clipboard contents, recording audio, and extracting credentials from web browsers, supporting long-term, low-noise persistence on compromised endpoints.

“The Evasive Panda threat actor has once again showcased its advanced capabilities, evading security measures with new techniques and tools while maintaining long-term persistence in targeted systems,” Kaspersky said.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.