A China-linked advanced persistent threat (APT) group has been linked to a sophisticated cyber espionage campaign, employing Domain Name System (DNS) poisoning to deliver its MgBot backdoor. This operation has primarily targeted individuals in Türkiye, China, and India and was reported by Kaspersky as occurring between November 2022 and November 2024. The group, known as Evasive Panda, is also tracked under names such as Bronze Highland and Daggerfly, and is believed to have been active since at least 2012.
Kaspersky researcher Fatih Şensoy reported that the group executed adversary-in-the-middle (AitM) attacks against specific victims, using techniques that involved embedding malware within legitimate software sources. The group’s DNS poisoning has been acknowledged before; in April 2023, ESET previously reported encounters where Evasive Panda was thought to deploy trojanized applications to target NGOs in Mainland China.
Recent findings by Volexity highlighted how Evasive Panda compromised an unnamed Internet Service Provider (ISP) through DNS poisoning, which allowed the threat actors to send malicious software updates to pre-selected targets.
In the recent attacks, the APT utilized deceptive update notifications for third-party software, like SohuVA, a video streaming platform. The malicious updates were traced back to a specific domain, suggesting a DNS manipulation where the legitimate update requests were redirected to servers controlled by the attackers.
The attackers are believed to have modified DNS responses to connect victims’ devices to an attacker-managed IP address. The method of executing the DNS poisoning remains ambiguous, with speculation that it may involve targeting specific ISPs or exploiting compromised routers.
Kaspersky also revealed the inherent sophistication of the attack methodology. The initial loader, embedded within the attack, fetches hidden shellcode concealed in a PNG image file through DNS queries to a legitimately existing site. This shellcode is then used to decrypt and execute an MgBot variant that gains access to various system functionalities, enabling activities such as file harvesting, keystroke logging, and capturing audio.
This advanced use of DNS poisoning indicates a growing trend among China-aligned cyber threat groups to leverage such capabilities for malware distribution. Evasive Panda’s recent activities exemplify the ongoing threat posed by state-sponsored actors, highlighting the need for enhanced security measures to detect and mitigate such sophisticated cyber tactics.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.