Security researchers at Kaspersky have uncovered a sophisticated cyber-espionage operation attributed to the China-linked advanced persistent threat (APT) group known as Evasive Panda, also tracked as Daggerfly, Bronze Highland, and StormBamboo. The campaign leveraged DNS poisoning techniques to distribute the MgBot backdoor, targeting select victims across Türkiye, China, and India.

Active for over a decade, Evasive Panda is widely recognized for developing and deploying the custom MgBot malware framework. In 2023, Symantec previously linked the group to an intrusion at an African telecommunications provider, where new MgBot plugins were observed—demonstrating the group’s continued refinement of its cyber-espionage toolkit.

According to Kaspersky, the latest campaign was highly selective in nature and operated for nearly two years, beginning in November 2022 and continuing through November 2024.

The attackers employed adversary-in-the-middle (AiTM) techniques, delivering encrypted malware components through manipulated DNS responses. Each target received a tailored implant designed to evade detection. The MgBot backdoor was injected directly into legitimate processes in memory, frequently using DLL sideloading, allowing the malware to remain concealed for extended periods.

Initial compromise was achieved through fake software updates masquerading as legitimate applications. In one observed case, threat actors distributed a malicious executable posing as a SohuVA update, likely delivered through DNS poisoning that redirected update requests to infrastructure under attacker control.

“The malicious package, named sohuva_update_10.2.29.1-lup-s-tp.exe, clearly impersonates a real SohuVA update to deliver malware from the following resource”

“There is a possibility that the attackers used a DNS poisoning attack to alter the DNS response of p2p.hd.sohu.com[.]cn to an attacker-controlled server’s IP address, while the genuine update module of the SohuVA application tries to update its binaries located in appdata\roaming\shapp\7.0.18.0\package.”

Beyond SohuVA, similar trojanized updaters were observed targeting widely used applications such as iQIYI Video, IObit Smart Defrag, and Tencent QQ, often launched by legitimate system services to reinforce trust and avoid suspicion.

The initial malware loader, written in C++ and built using the Windows Template Library, was disguised as a harmless sample project. Once executed, it decrypted and decompressed its configuration data, revealing installation directories, command-and-control domains, and encrypted MgBot parameters. The malware dynamically altered its behavior based on the active user context, decrypted strings only at runtime, and used XOR and LZMA obfuscation to hinder analysis. Ultimately, it executed shellcode directly in memory after modifying memory permissions, enabling covert deployment without leaving obvious forensic traces.

The infection chain followed a multi-stage execution model. The first-stage loader launched shellcode that concealed API usage by resolving Windows functions via hashing. This shellcode searched for a specific DAT file within the installation directory. If found, the file was decrypted using Windows CryptUnprotectData, ensuring it could only be accessed on the infected system, before being deleted to erase evidence.

If the DAT file was absent, the shellcode retrieved the next stage from the internet. Through DNS poisoning, victims were redirected to attacker-controlled servers while believing they were accessing legitimate domains such as dictionary.com. System details, including the Windows version, were transmitted via HTTP headers, allowing attackers to tailor payloads accordingly. The downloaded data was decrypted using XOR, memory permissions were altered, and the payload was executed. The malware later re-encrypted the payload and stored it in a newly created DAT file, often unique to each victim.

Researchers also identified a secondary loader named libpython2.4.dll, which masqueraded as a legitimate Windows library. This component was loaded through a signed executable, evteng.exe—an outdated Python binary—to further mask malicious activity. The loader recorded its file path in status.dat, likely to support future updates, and decrypted additional payloads from perf.dat, which were also delivered via DNS poisoning. Throughout this process, the attackers repeatedly renamed and relocated the payloads, decrypting them with XOR and re-encrypting them using a customized combination of DPAPI and RC5, effectively binding the malware to the infected host and complicating analysis.

Kaspersky telemetry indicates confirmed victims in Türkiye, China, and India, with some systems remaining compromised for more than a year. The prolonged duration of the operation highlights the attackers’ persistence, operational maturity, and access to substantial resources.

The observed tactics, techniques, and procedures (TTPs) strongly align with previous Evasive Panda operations. While a new loader was introduced, the attackers continued to rely on the long-established MgBot implant, albeit with updated configuration elements. As seen in earlier campaigns, Evasive Panda favored stealthy propagation methods such as supply-chain compromise, adversary-in-the-middle attacks, and watering-hole techniques to avoid detection.

“The Evasive Panda threat actor has once again showcased its advanced capabilities, evading security measures with new techniques and tools while maintaining long-term persistence in targeted systems.”

“Our investigation suggests that the attackers are continually improving their tactics, and it is likely that other ongoing campaigns exist. The introduction of new loaders may precede further updates to their arsenal.”