China-Linked APT Uses DNS Poisoning to Deploy MgBot Backdoor in Targeted Espionage Campaign. A China-aligned advanced persistent threat (APT) group has been linked to a highly targeted cyber espionage campaign that leveraged DNS poisoning to deliver its signature MgBot backdoor to victims in Türkiye, China, and India. The activity, observed by Kaspersky between November 2022 and November 2024, is attributed to Evasive Panda, also tracked as Bronze Highland, Daggerfly, and StormBamboo, an actor active since at least 2012.
“The group primarily conducted adversary-in-the-middle (AitM) attacks on selected victims,” said Kaspersky researcher Fatih Şensoy. “Techniques included dropping loaders in specific locations and storing encrypted malware components on attacker-controlled servers, resolved via DNS responses to targeted websites.”
Previous DNS Poisoning Incidents
Evasive Panda’s DNS poisoning capabilities have surfaced before. In April 2023, ESET reported the group may have executed a supply chain compromise or AitM attack to distribute trojanized versions of Tencent QQ targeting an NGO in Mainland China.
In August 2024, Volexity revealed the group compromised an ISP via DNS poisoning to push malicious software updates. ESET also tracks 10 active China-linked groups using similar techniques, including LuoYu, BlackTech, TheWizards APT, and Blackwood.
Attack Techniques
Recent campaigns used fake update lures for apps like SohuVA, Baidu iQIYI Video, IObit Smart Defrag, and Tencent QQ. For example, attackers likely altered DNS responses for p2p.hd.sohu.com[.]cn, redirecting victims to attacker-controlled servers while legitimate update modules attempted to fetch binaries.
The infection chain involves:
- Initial loader fetching shellcode disguised as a PNG image via DNS poisoning.
- Manipulating IP resolution for legitimate domains like dictionary[.]com based on victim location and ISP.
- Deploying a secondary loader (libpython2.4.dll) sideloaded with a renamed python.exe, which decrypts and loads the next-stage malware from
- C:\ProgramData\Microsoft\eHome\perf.dat using a custom hybrid of DPAPI and RC5 encryption.
This encryption ensures payloads can only be decrypted on the compromised system, complicating forensic analysis.
Final Payload: MgBot
The decrypted code is an MgBot variant, injected into svchost.exe. MgBot is a modular implant capable of:
- File exfiltration
- Keystroke logging
- Clipboard capture
- Audio recording
- Credential theft from browsers
These capabilities enable long-term stealth and persistence in targeted environments.
Attribution and Impact
Evasive Panda demonstrates advanced tradecraft, combining DNS poisoning, custom encryption, and modular implants to evade detection and maintain persistence. The campaign highlights the growing sophistication of China-linked APTs and their ability to compromise high-value targets through supply chain and network-level attacks.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
