Full Report
A China-linked advanced persistent threat (APT) group has been attributed to a highly-targeted cyber espionage campaign in which the adversary poisoned Domain Name System (DNS) requests to deliver its signature MgBot backdoor in attacks targeting victims in Türkiye, China, and India. The activity, Kaspersky said, was observed between November 2022 and November 2024. It has been linked to a
Analysis Summary
# Threat Actor: Evasive Panda
## Attribution & Identity
**Attribution:** China-linked Advanced Persistent Threat (APT) group.
**Known Aliases and Associated Groups:** Bronze Highland, Daggerfly, StormBamboo.
**Active Since:** At least 2012.
## Activity Summary
The group was observed conducting a highly-targeted cyber espionage campaign between November 2022 and November 2024. This campaign utilized DNS poisoning to deliver the signature **MgBot** backdoor. The activity frequently employed Adversary-in-the-Middle (AitM) attacks targeting specific reconnaissance efforts against selected victims. The use of DNS poisoning to alter DNS responses has been a recurring technique, as noted in prior incidents involving the delivery of trojanized legitimate applications (like Tencent QQ) or compromising ISPs to push malicious updates.
## Tactics, Techniques & Procedures
- **Initial Access/Distribution:** DNS poisoning/spoofing to redirect victims to attacker-controlled servers in response to legitimate website DNS requests.
- **Adversary-in-the-Middle (AitM):** Used selectively against specific victims.
- **Malware Delivery:** Dropping loaders into specific locations.
- **Second-Stage Retrieval:** Fetching encrypted second-stage shellcode disguised as a PNG image file, again via DNS poisoning targeting `dictionary[.]com`.
- **Lures:** Masquerading updates for legitimate third-party software (e.g., SohuVA, Baidu iQIYI Video, IObit Smart Defrag).
- **Evasion/Adaptation:** The HTTP request for second-stage shellcode includes the current Windows version number, suggesting targeting based on OS version.
- **Suspected Initial Compromise Vectors for DNS Poisoning:** Compromising ISPs via network implants on edge devices, or hacking victim routers/firewalls.
## Targeting
- **Sectors:** Not explicitly listed in detail, but context suggests espionage against organizations based on the highly targeted nature of the attacks.
- **Geography:** Türkiye, China, and India.
- **Victims:** Specific organizations not named, but previous activity targeted an international Non-Governmental Organization (NGO) in Mainland China and victims via compromised ISPs.
## Tools & Infrastructure
- **Malware Families Used:** MgBot (backdoor).
- **Infrastructure:** Attacker-controlled servers resolved via poisoned DNS responses. Specific domains mentioned in the context of lures include `p2p.hd.sohu.com[.]cn`. The second-stage shellcode retrieval targeted the legitimate domain `dictionary[.]com`, which was redirected to an attacker-controlled IP based on victim geography/ISP.
## Implications
Evasive Panda is a mature, long-running threat actor (active since 2012) showing sophistication in initial access through DNS manipulation (AitM), a complex multi-stage infection chain (loader $\rightarrow$ shellcode $\rightarrow$ encrypted second stage), and adaptability based on target OS versions. Their willingness to compromise ISPs highlights a capability for broad, latent compromise influencing multiple downstream targets.
## Mitigations
- Implement rigorous monitoring and validation of DNS resolution paths to detect inconsistencies between expected and actual C2 IP addresses.
- Enhance monitoring for suspicious modifications to local network edge devices (routers/firewalls) that could facilitate DNS-level manipulation.
- Be highly suspicious of updates delivered via third-party application update mechanisms, especially if they involve unexpected domains or methods.
- Deploy network traffic analysis capable of spotting sequential requests where initial access relies on legitimate sites being resolved to malicious IPs.