The Evasive Panda APT group, active since at least 2012 and tracked under various aliases such as Bronze Highland and StormBamboo, executed a sophisticated cyber espionage campaign leveraging DNS poisoning attacks to deliver its signature MgBot backdoor malware. Observed between November 2022 and November 2024, the campaign targeted victims primarily in Türkiye, China, and India. The attackers manipulated DNS responses for specific domains, such as p2p.hd.sohu.com.cn and dictionary.com, redirecting legitimate software update requests to attacker-controlled servers. This enabled the delivery of trojanized updates for popular third-party applications including SohuVA, Baidu's iQIYI Video, IObit Smart Defrag, and Tencent QQ. The infection chain involved a multi-stage loader process: an initial loader executed shellcode that fetched an encrypted second-stage payload disguised as a PNG image via DNS poisoning. The second-stage payload was uniquely encrypted per victim using a hybrid of Microsoft's DPAPI and the RC5 algorithm, complicating analysis and detection. A secondary loader, masquerading as a renamed python.exe and a DLL sideload, decrypted and executed the MgBot malware by injecting it into the legitimate svchost.exe process. MgBot is a modular implant capable of harvesting files, logging keystrokes, capturing clipboard data, recording audio, and stealing browser credentials, enabling long-term stealthy espionage. The attackers likely compromised ISPs or victim network devices to selectively poison DNS responses based on geographic location and ISP. The campaign reflects advanced adversary-in-the-middle techniques and a high level of operational security, including targeting specific Windows versions to tailor payloads. Previous activity by Evasive Panda includes supply chain compromises and watering hole attacks, indicating a broad and persistent threat actor profile.

For European organizations, this threat poses significant risks primarily through the potential compromise of network infrastructure such as ISPs or edge devices that handle DNS queries. If European ISPs or enterprise networks are targeted or compromised, DNS poisoning could redirect legitimate software update requests to malicious servers, leading to stealthy malware infections. The MgBot backdoor's capabilities to exfiltrate sensitive data, including credentials, files, and audio, threaten confidentiality and privacy, particularly for organizations involved in sensitive sectors such as government, critical infrastructure, technology, and research. The modular nature of MgBot allows attackers to adapt and expand their espionage capabilities, increasing the risk of prolonged undetected presence. Additionally, the use of custom encryption and multi-stage loaders complicates detection and incident response efforts. The campaign’s reliance on targeting specific Windows versions and geographic-based DNS manipulation suggests that European organizations with outdated or unpatched systems could be at higher risk. The espionage focus and advanced techniques underscore a threat to intellectual property, strategic information, and operational integrity within Europe.

European organizations should implement DNS security enhancements such as DNSSEC to validate DNS responses and reduce the risk of poisoning attacks. Network operators and ISPs must monitor and secure DNS infrastructure rigorously, including edge devices like routers and firewalls, to detect unauthorized modifications or implants. Deploying endpoint detection and response (EDR) solutions capable of identifying multi-stage loader behaviors, DLL sideloading, and anomalous svchost.exe injections is critical. Organizations should enforce strict software update policies, verifying update sources and employing application allowlisting to prevent execution of trojanized binaries. Regularly auditing network traffic for unusual DNS queries or responses and implementing geo-IP filtering can help detect and block suspicious redirections. Employing threat intelligence feeds to identify indicators of compromise related to Evasive Panda and MgBot can enhance proactive defense. Additionally, maintaining up-to-date Windows systems and applying security patches reduces the attack surface exploited by tailored payloads. Incident response teams should prepare for complex encrypted payloads by developing decryption capabilities and behavioral analysis techniques. Finally, collaboration with ISPs and national cybersecurity authorities is essential to identify and remediate compromised network infrastructure.