A China-linked advanced persistent threat (APT) group known as Evasive Panda has been linked to a sophisticated cyber-espionage campaign that used Domain Name System (DNS) poisoning to deliver its MgBot backdoor malware. According to Kaspersky, the highly targeted activity was observed between November 2022 and November 2024, impacting victims in Türkiye, China, and India.
Tracked under multiple names including Bronze Highland, Daggerfly, and StormBamboo, Evasive Panda has been active since at least 2012. The group primarily relies on adversary-in-the-middle (AitM) attacks, manipulating DNS responses to redirect legitimate software update requests to attacker-controlled servers. These poisoned updates then deliver malicious loaders and encrypted payloads tailored to specific victims.
Previous research by ESET and Volexity has also documented similar DNS poisoning and supply-chain style attacks by the group, including compromised ISPs and trojanized versions of popular applications such as Tencent QQ, Baidu iQIYI, and IObit Smart Defrag.
In the latest campaign, attackers used multi-stage loaders, custom encryption combining DPAPI and RC5, and victim-specific payloads to evade detection. The final payload, an MgBot variant injected into legitimate system processes, enables long-term surveillance through credential theft, keystroke logging, audio recording, and data exfiltration.
Security researchers warn that Evasive Panda’s continued evolution highlights the growing risk of DNS-level attacks and the need for stronger network-level defenses against nation-state cyber threats.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
