A China-linked advanced persistent threat (APT) group tracked as Evasive Panda has been running a highly targeted cyber-espionage campaign that hijacks Domain Name System (DNS) requests to silently install its MgBot backdoor on systems in India, Türkiye and China. Security firm Kaspersky says the operation ran for two years, from November 2022 to November 2024, and relied on adversary-in-the-middle (AitM) and DNS‑poisoning attacks that abused legitimate software update mechanisms.
Also known as Bronze Highland, Daggerfly and StormBamboo, Evasive Panda has been active since at least 2012 and is considered a China-aligned cyber-espionage outfit.
How DNS Poisoning Turned Legit Apps into Malware Droppers
Researchers found that attackers impersonated updates for popular Windows applications like SohuVA (a Sohu video client), Baidu’s iQIYI Video, IObit Smart Defrag and Tencent QQ. In one case, the domain p2p.hd.sohu.com.cn was likely hijacked so that when the genuine SohuVA updater tried to pull binaries, DNS responses were silently altered to point to an attacker-controlled server instead.
Similar fake updaters were dropped into installation folders for iQIYI Video and other apps, then executed by legitimate services to blend into normal system activity. All of this allowed the group to piggyback on user trust in routine software updates.
Multi-Stage Infection Using Dictionary.com and Custom Encryption
Once a victim was hooked, Evasive Panda used a staged chain: an initial loader launched shellcode that fetched a second-stage payload disguised as a PNG image file, again delivered via DNS poisoning. In one campaign, DNS responses for dictionary.com were manipulated so that only users from certain ISPs and regions resolved the site to attacker IPs instead of the real service.
Kaspersky notes it is still unclear exactly how DNS was poisoned; possibilities include implants at compromised ISPs or hacked edge routers/firewalls at victim networks. The HTTP request to retrieve the second-stage code also contained the victim’s Windows version, suggesting tailored payloads per OS.
DPAPI + RC5: Making Payloads Host-Locked and Hard to Analyse
A key innovation was a secondary loader (libpython2.4.dll) that sideloaded via a renamed python.exe and retrieved the next stage from a file stored as C:\ProgramData\Microsoft\eHome\perf.dat. Kaspersky says this file held data that was first XOR-encrypted, then re-encrypted and stored using a custom hybrid of Microsoft’s DPAPI and the RC5 algorithm.
Because DPAPI ties decryption to a specific Windows machine, the design means the stored blob can only be decoded on the originally infected host, frustrating attempts by defenders to intercept and analyse payloads outside the target system.
MgBot Backdoor: Keylogging, File Theft, Audio Recording
The final decrypted implant is a variant of MgBot, a modular espionage framework Evasive Panda has used for over a decade. MgBot supports plugins for harvesting files, logging keystrokes, grabbing clipboard data, recording audio streams and stealing browser credentials, allowing the group to maintain long-term, low‑noise access to compromised systems.
Kaspersky telemetry shows victims in Türkiye, China and India, with some systems remaining infected for more than a year, underlining the campaign’s persistence and resource intensity.
Why This Matters for India
Security analysts warn that DNS‑level attacks and hijacked update channels are particularly dangerous because they abuse core internet trust mechanisms that most organisations take for granted. For Indian enterprises and government bodies, the campaign is a reminder that:
- Insecure or unsigned update mechanisms are high‑value targets.
- DNS traffic and resolver infrastructure need monitoring and hardening.
- Long‑lived APT footholds may hide behind “normal” app update traffic for years.
Kaspersky calls Evasive Panda’s latest activity “a textbook example of how a mature APT can reuse known tools like MgBot while constantly evolving its delivery chain to evade modern defences.”
