MgBot Backdoor

A sophisticated, China-aligned advanced persistent threat (APT) operation has been attributed to a long-running cyber espionage campaign that abused Domain Name System (DNS) infrastructure to deliver the MgBot backdoor. The campaign focused on carefully selected victims in Türkiye, China, and India, and remained active from November 2022 through November 2024.

The Adversary Behind the Operation

The activity has been linked to the threat actor widely known as Evasive Panda, also tracked under the names Bronze Highland, Daggerfly, and StormBamboo. This group has been assessed to be operational since at least 2012 and is known for highly targeted intrusions rather than broad, opportunistic attacks.

Adversary-in-the-Middle as a Core Tactic

At the heart of the campaign was the use of adversary-in-the-middle (AitM) techniques. The attackers manipulated DNS responses so that victims were silently redirected to infrastructure under their control. Malware loaders were placed in precise file locations, while encrypted components were hosted on attacker-controlled servers and only delivered in response to specific DNS queries tied to legitimate websites.

A Pattern of DNS Poisoning Abuse

This campaign is not an isolated case. Evasive Panda has repeatedly demonstrated expertise in DNS poisoning. Earlier research highlighted similar tactics in April 2023, when the group likely leveraged either a supply chain compromise or an AitM attack to distribute trojanized versions of trusted software, such as Tencent QQ, against an international NGO in Mainland China.

In August 2024, further reporting revealed that the group had compromised an unnamed internet service provider (ISP), abusing poisoned DNS responses to distribute malicious software updates to selected targets.

A Broader Ecosystem of China-Aligned AitM Actors

Evasive Panda is part of a wider landscape of China-aligned threat groups that rely on AitM-based poisoning for malware delivery and movement within networks. Analysts have identified at least ten active groups using similar approaches, underscoring that DNS manipulation has become a favored technique within this ecosystem.

Weaponized Software Updates as Lures

In the documented intrusions, victims were enticed with fake updates masquerading as legitimate third-party software. One prominent lure impersonated updates for SohuVA, a video streaming application from Chinese technology company Sohu. The update appeared to originate from the legitimate domain p2p.hd.sohu.com[.]cn, strongly suggesting DNS poisoning was used to redirect traffic to a malicious server while the application attempted to update binaries in its standard directory under appdata\roaming\shapp\7.0.18.0\package.

Researchers also observed parallel campaigns abusing fake updaters for Baidu's iQIYI Video, IObit Smart Defrag, and Tencent QQ.

Multi-Stage Payload Delivery via Trusted Domains

Successful execution of the fake update led to deployment of an initial loader that launched shellcode. This shellcode retrieved an encrypted second-stage payload disguised as a PNG image, again via DNS poisoning, this time abusing the legitimate domain dictionary.com.

The attackers manipulated DNS resolution so that dictionary.com resolved to attacker-controlled IP addresses, selectively determined by the victim's geographic location and ISP. The HTTP request used to fetch this payload included the victim's Windows version, likely enabling the attackers to tailor follow-on actions to specific operating system builds. This selective targeting echoes the group's prior use of watering hole attacks, including the distribution of macOS malware known as MACMA.

How the DNS Poisoning May Have Been Achieved

Although the precise method used to poison DNS responses remains unconfirmed, investigators suspect two primary possibilities:

• Selective compromise of victim ISPs, potentially involving network implants on edge devices to manipulate DNS traffic.
• Direct compromise of routers or firewalls within victim environments to alter DNS responses locally.

Sophisticated Loader Chain and Custom Encryption

The second-stage malware delivery process is deliberately complex. The initial shellcode decrypts and executes a victim-specific payload, an approach believed to reduce detection by generating a unique encrypted file for each target.

A secondary loader, disguised as libpython2.4.dll, relies on sideloading a renamed, outdated python.exe. Once executed, it retrieves and decrypts the next-stage payload by reading from C:\ProgramData\Microsoft\eHome\perf.dat. This file contains malware that was first XOR-encrypted, then decrypted, and finally re-encrypted using a custom hybrid of Microsoft's Data Protection API (DPAPI) and the RC5 algorithm. This design ensures the payload can only be decrypted on the original victim system, significantly complicating interception and offline analysis.

MgBot: A Stealthy and Capable Implant

After decryption, the payload is injected into a legitimate svchost.exe process, revealing itself as a variant of the MgBot backdoor. This modular implant supports a wide range of espionage functions, including:

• File collection and exfiltration
• Keystroke logging and clipboard harvesting
• Audio recording
• Theft of browser-stored credentials

These capabilities enable the attackers to maintain long-term, covert access to compromised systems.

An Evolving and Persistent Threat

This campaign highlights Evasive Panda's continued evolution and technical sophistication. By combining DNS poisoning, trusted-brand impersonation, multi-layered loaders, and system-bound encryption, the group demonstrates a clear ability to evade defenses while sustaining persistent access to high-value targets. The operation reinforces the need for stronger DNS security, supply chain validation, and monitoring of update mechanisms in sensitive environments.