Evasive Panda APT Asia Cyberespionage Campaign Poisons DNS Requests, Delivers MgBot
Published
Key Takeaways
- Sophisticated TTPs: The Evasive Panda APT utilizes advanced techniques, including DNS poisoning and adversary-in-the-middle (AitM) attacks.
- Geographic focus: The campaign has primarily targeted victims in Türkiye, China, and India, with some systems remaining compromised for over one year.
- Evasive toolset: The group uses a new, stealthy loader and a multi-stage infection chain to deploy its signature MgBot implant while evading detection.
The advanced persistent threat group known as Evasive Panda (or Daggerfly) continues to evolve, as seen in a highly targeted cyberespionage campaign that has been active for two years. The operation employs sophisticated adversary-in-the-middle (AitM) and DNS poisoning techniques to compromise victims in Asia.
The initial infection vector involves distributing malicious packages disguised as legitimate updates for the iQIYI Video Chinese app, which is similar to SohuVA, as well as Obit Smart Defrag and Tencent QQ. These redirect to attacker-controlled servers that deliver a custom, multi-stage loader designed for stealth.
New Evasive Panda APT Campaign Infection Chain
The Evasive Panda APT infection process is complex and designed to evade analysis. After the initial loader is executed, it initiates a multi-stage shellcode execution process. The encrypted second-stage payload was disguised as a PNG file from a legitimate website (dictionary[.]com) that had been manipulated via DNS poisoning, SecureLabs researchers said.
The malware uses hybrid encryption, combining Microsoft’s DPAPI with the RC5 algorithm, to ensure payloads are unique to each victim and can be decrypted only on the compromised machine.
The final stage of the attack involves injecting the group's MgBot implant into legitimate system processes, such as svchost.exe, enabling long-term persistence and control. The attackers also leverage multiple command-and-control (C2) servers, some of which have been active for several years.
“As for the AitM attack, we do not have any reliable sources on how the threat actor delivers the initial loader, and the process of poisoning DNS responses for legitimate websites, such as dictionary[.]com, is still unknown,” the SecureLabs researchers said.
Implications of the APT Targeting Asia
This long-running campaign, which has successfully compromised targets in Türkiye, China, and India, with some systems remaining compromised for over a year, demonstrates the group's significant investment in resources and long-term intelligence gathering.
Last month, a Chinese APT24 cyberespionage campaign deployed BADAUDIO malware in Taiwan. In July, APT36 targeted the Indian defense sector with fake cybersecurity advisories hiding advanced Linux malware.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular