【CyCraft Monthly Intelligence】Evasive Panda: Infiltrating Critical Industries via DNS Poisoning and Software Updates Over a Two-Year Stealth

‍

Threat and Impact

Between November 2022 and November 2024, Evasive Panda launched a highly sophisticated and prolonged cyber espionage campaign. The scope of the attack spanned multiple industries across several countries, with Turkey, China, and India as primary targets. Evasive Panda—also tracked as Bronze Highland, Daggerfly, and StormBamboo—has been notorious since 2012 for its advanced tactics, continuously optimizing its tools and techniques to evade detection and maintain long-term persistence within victim systems.

‍

Analyst Perspective

Evasive Panda has launched numerous global attacks over the past several years. In this latest campaign, the actor masqueraded as several widely used services in China, such as Sohu, iQIYI, and Tencent, indicating that the Chinese public was a major target. This operation also involves detecting the version numbers of victim hosts. Past research has revealed that Evasive Panda utilizes two distinct implants: MgBot for Windows and Macma for macOS; it can be inferred that they carry out customized attacks tailored to different operating system versions. Furthermore, most victims remained under the attacker's control for over a year post-infection, demonstrating the actor's capability for long-term espionage and remote command-and-control.

‍

Incident Description

This campaign utilized a precise Adversary-in-the-Middle (AitM) attack, intercepting legitimate software update requests through DNS poisoning and redirecting them to attacker-controlled servers. By combining stealthy loaders with trojanized update files carrying the MgBot backdoor implant, the attackers successfully compromised the update mechanisms of several popular Chinese applications, including SohuVA, iQIYI Video, IObit Smart Defrag, and Tencent QQ. By disguising the intrusion as routine software maintenance, attackers could infiltrate victim systems and significantly increase the infection success rate while minimizing suspicion.

The malware features a highly complex infrastructure: the attackers developed a brand-new loader employing a multi-stage shellcode execution flow, a hybrid encryption mechanism combining the Microsoft Data Protection API (DPAPI) with RC5 encryption, and dynamic runtime API resolution. These features not only drastically increase the difficulty of reverse engineering and forensic analysis but also allow the malware to tailor specific payloads for each individual victim, enhancing both stealth and resilience. Additionally, the MgBot implant utilizes DLL side-loading to inject into legitimate, signed system processes (such as svchost.exe), allowing it to operate entirely in-memory and evade detection by traditional security solutions.

‍

Technical Details

This chapter provides an in-depth analysis of the technical details of the Evasive Panda APT campaign, offering a comprehensive explanation of its root causes and the tactics employed by the threat actor. Through the lens of the MITRE ATT&CK framework, we examine each stage of the attack lifecycle.

Reconnaissance

The Evasive Panda group begins with targeted reconnaissance to gather critical information regarding the victim's infrastructure. The core technique in this phase is DNS Poisoning: by manipulating DNS responses, requests originally destined for legitimate software update services (such as SohuVA and dictionary.com) are redirected to attacker-controlled servers. This allows the attackers to observe network traffic patterns and software versions, gaining situational awareness to customize subsequent malicious payloads.

Initial Access

The attackers gain an initial foothold through trojanized software updates targeting popular Chinese applications, including SohuVA, iQIYI Video, IObit Smart Defrag, and Tencent QQ. Attackers distribute executables disguised as legitimate update packages (e.g., sohuva_update_10.2.29.1-lup-s-tp.exe). These files are either delivered directly to victims or transmitted via the C2 infrastructure after redirecting original update requests through DNS poisoning.

Execution

Once delivered, the malware initiates a multi-stage loader architecture developed using C++ and the Windows Template Library (WTL). The loader first decrypts an encrypted configuration buffer using a custom XOR algorithm, then decompresses the core payload, which is compressed using LZMA.

The execution flow varies depending on the privileges of the logged-in user:

• If the current user is SYSTEM: The malware clones itself and modifies the filename (appending ext.exe), then re-executes via the ShellExecuteW API.
• If the user is not SYSTEM: It copies explorer.exe to the %TEMP% directory under a temporary name and subsequently deletes the original file. This resource-intensive step is likely designed for obfuscation or to hinder forensic analysis.

The loader also decrypts critical API function names (such as kernel32.dll and VirtualProtect) at runtime to dynamically and stealthily resolve Windows API addresses. The decrypted shellcode (approximately 9,556 bytes) is injected into the loader's .data section. Since this section is non-executable by default, the malware uses VirtualProtect to mark it as executable, enabling in-memory execution and bypassing many static and behavioral detection mechanisms.

Persistence

The threat actor achieves persistence via DLL Side-Loading. Attackers utilize a secondary loader disguised as libpython2.4.dll (originally a legitimate Windows library). A signed but obsolete executable (evteng.exe, a legitimate Python wrapper) is used to load this malicious DLL, allowing the attacker to execute malicious code under the guise of a trusted process.

Defense Evasion

The attackers employ several highly sophisticated evasion mechanisms:

• Hybrid Encryption: Payloads and configuration files use a custom encryption scheme combining Microsoft DPAPI and the RC5 algorithm. The RC5 key itself is protected by DPAPI and stored alongside the encrypted payload in files such as perf.dat. This ensures decryption is only possible on the specifically infected host, significantly increasing the difficulty of static detection and analysis.    
• DNS Poisoning: Redirecting legitimate update requests to attacker-controlled servers not only facilitates malware delivery but also masks C2 traffic as normal network activity.
• API Hashing and Dynamic Resolution: The malicious shellcode uses the PJW hashing algorithm to dynamically resolve Windows API functions at runtime. This avoids embedding API names or import tables directly in the code, reducing the forensic footprint.
• In-Memory Execution and Injection: The MgBot implant leverages DLL side-loading and runtime memory injection to reside within trusted system processes like svchost.exe, evading file-based detection.
• Encrypted Strings and Configurations: Critical strings (e.g., the username SYSTEM or the filename ext.exe) and configuration data are stored in an encrypted format and only decrypted via XOR operations during execution.

Discovery

The malware probes the victim's environment using the RtlGetVersion API to query the current username and Windows OS version. This information is embedded in the HTTP headers sent to the attacker-controlled server, enabling the threat actor to tailor the attack payload based on the victim’s specific operating system and user context.

Command and Control (C2)

Command and control is maintained through multiple hardcoded IP addresses and domains stored within the decrypted configuration files. The malware utilizes stealthy communication via HTTP requests that mimic legitimate traffic, often disguising malicious payloads as seemingly harmless files, such as PNG images.

‍

Mitigation

Network Security

• DNS Security: Implement DNSSEC (Domain Name System Security Extensions) to defend against DNS poisoning. DNSSEC validates the authenticity of DNS responses, significantly reducing the risk of traffic being redirected to attacker-controlled servers.
• Firewalls and Intrusion Detection Systems (IDS): Deploy firewalls and IDS to monitor and block suspicious activity. By configuring appropriate rule sets, organizations can detect and intercept traffic patterns associated with DNS poisoning and other APT tactics.
• Network Segmentation: Segment the network to limit the lateral movement of malware. Ensuring that critical systems are isolated from less secure zones can effectively contain a breach if one occurs.

Endpoint Protection

• Antivirus and Anti-Malware: Regularly update antivirus and anti-malware solutions to detect and remediate known threats.
• Endpoint Detection and Response (EDR): EDR solutions provide real-time monitoring of endpoint activity, offering detailed logs and alerts for suspicious behavior to facilitate rapid incident response.
• Application Whitelisting: Implement application whitelisting to restrict the execution of unauthorized software. This is a highly effective defense against trojanized updates and the execution of malicious payloads.

User Awareness and Training

• Phishing Awareness Training: Conduct regular training sessions for employees to increase vigilance against phishing and social engineering tactics. Train staff to identify and report suspicious emails and links.
• Security Best Practices: Promote essential security practices, including the use of strong, unique passwords, the enablement of Multi-Factor Authentication (MFA), and the avoidance of downloading suspicious files or software.

‍

Reference

• Evasive Panda APT group delivers malware via updatesfor popular Chinese software
• Inside Evasive Panda’s Long-Running AitM Campaign
• China-Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver MgBot Malware
• 中國駭客組織Evasive Panda透過AiTM網釣與DNS中毒，對土耳其、中國、印度散布惡意軟體
• Evasive Panda APT poisons DNS requests to deliver MgBot

‍

IoCs (Indicator of Compromise)

FilePaths
C:\ProgramData\Microsoft\MF
C:\ProgramData\Microsoft\eHome\status.dat
C:\ProgramData\Microsoft\eHome\perf.dat

URLs andIPs

MgBot C2
60.28.124[.]21    
123.139.57[.]103  
140.205.220[.]98  
112.80.248[.]27   
116.213.178[.]11  
60.29.226[.]181   
58.68.255[.]45    
61.135.185[.]29   
103.27.110[.]232  
117.121.133[.]33  
139.84.170[.]230  

AitM C2
103.96.130[.]107  
158.247.214[.]28  
106.126.3[.]78    
106.126.3[.]56

‍