A China-linked hacking group known as Evasive Panda has been identified conducting a targeted cyber espionage campaign using DNS poisoning to distribute the MgBot backdoor. Operating between late 2022 and late 2024, the group focused its efforts on specific victims located in Türkiye, India, and China.
The threat actor, which has been active for over a decade, utilized adversary-in-the-middle attacks to intercept web traffic and redirect users to malicious servers. By poisoning Domain Name System requests, the attackers were able to trick legitimate software into downloading malware instead of official updates. This technique allowed the group to deliver initial loaders that eventually pulled more complex shellcode onto the compromised systems.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
Evasive Panda has a documented history of using this specific method to compromise targets, including past instances where they targeted non-governmental organizations and internet service providers. By gaining control over how domains are resolved, they can serve trojanized versions of popular applications like Tencent QQ or SohuVA. This latest activity highlights their ongoing reliance on infrastructure manipulation to bypass standard security measures.
In this particular campaign, the attackers focused on faking updates for various video streaming services and system utilities. When a victim’s computer attempted to check for a legitimate software update, the poisoned DNS response pointed the request to an attacker-controlled IP address. This resulted in the installation of a malicious package disguised as a routine update within the application’s roaming folders.
The final stages of the infection involved a sophisticated chain of execution where initial shellcode fetched additional encrypted components. Interestingly, the group used the legitimate website dictionary.com as a host for these encrypted files, which were hidden inside PNG image files. This method of blending malicious traffic with reputable domains makes the intrusion significantly harder for traditional network monitoring tools to detect.
Source: China Linked Evasive Panda Ran DNS Poisoning To Spread MgBot Malware