Security Firm Links Long-Running China-Linked APT to DNS Poisoning Campaign Delivering MgBot

A China-linked advanced persistent threat (APT) group has been attributed to a highly targeted cyber espionage campaign that used Domain Name System (DNS) poisoning to deliver an MgBot backdoor to selected victims, Kaspersky reported. The activity was observed between November 2022 and November 2024 and affected systems in Türkiye, China and India.

Kaspersky attributed the campaign to a group it and other vendors track as Evasive Panda, also known under names such as Bronze Highland, Daggerfly and StormBamboo. The group is assessed to have been active since at least 2012 and has repeatedly used adversary-in-the-middle (AitM) techniques in targeted operations.

"The group mainly performed adversary-in-the-middle (AitM) attacks on specific victims," Kaspersky researcher Fatih Şensoy wrote in the vendor's analysis. The attacks observed in this campaign relied on DNS responses that directed legitimate software update requests to attacker-controlled infrastructure, enabling staged payload delivery.

Kaspersky said the attackers used lures impersonating legitimate third-party software updaters. One observed tactic involved a malicious update masquerading as a SohuVA video streaming service module, delivered from the domain p2p.hd.sohu.com[.]cn. The vendor said the domain likely had its DNS response altered so that victims resolving the name were directed to an attacker-controlled IP address rather than the genuine service.

Other fake updaters identified in Kaspersky's analysis included variants impersonating iQIYI Video, IObit Smart Defrag and Tencent QQ. The initial malicious component acted as a loader that executed shellcode, which then obtained an encrypted second-stage payload in the form of a PNG image file.

In at least one sequence, the second-stage shellcode was retrieved from a legitimate domain, dictionary[.]com, after the threat actor manipulated that site's DNS resolution for victim systems. Kaspersky said the manipulation appeared to cause dictionary[.]com to resolve to attacker-controlled IP addresses depending on a victim's geography and internet service provider.

How the threat actor achieved the DNS poisoning remains unclear. Kaspersky suggested two possible scenarios: that the ISPs used by victims were selectively targeted and compromised to install a network implant on edge devices, or that a router or firewall used by the victims had been hacked to alter DNS responses.

The HTTP request used to fetch the second-stage shellcode included the current Windows version number. Kaspersky said this behavior likely allowed the attackers to tailor the attack to specific operating system versions and to adapt the chain according to the target environment.

The campaign's multi-stage loader sequence also employed a secondary loader named libpython2.4.dll that relied on a renamed, older python.exe binary to be sideloaded. After execution, the secondary loader downloaded and decrypted the next-stage payload by reading a file stored locally at C:\ProgramData\Microsoft\eHome\perf.dat.

Kaspersky described a complex process used to obtain and protect that stage. The attacker reportedly XOR-encrypted an intermediate resource, then decrypted it and re-encrypted it before saving it as perf.dat using a custom hybrid of Microsoft's Data Protection Application Programming Interface (DPAPI) and the RC5 algorithm. This approach was designed to ensure that the encrypted data could only be decoded on the system where it was created, complicating interception and analysis.

The decrypted payload was identified as a variant of MgBot, a modular implant that the attackers injected into a legitimate svchost.exe process. Kaspersky outlined MgBot's capabilities, noting the implant can harvest files, log keystrokes, collect clipboard data, record audio streams and extract credentials from web browsers.

According to Kaspersky, the attackers generated a unique encrypted second-stage shellcode file for each victim to evade detection and frustrate analysis. The use of per-victim encryption and the multi-step loading and sideloading sequence contributed to the campaign's stealth and persistence.

Evasive Panda's DNS poisoning capabilities have been flagged in prior reporting. ESET noted in April 2023 that the actor may have used a supply chain compromise or an AitM attack to serve trojanized versions of legitimate applications such as Tencent QQ in an incident targeting an international non-governmental organization in Mainland China. In August 2024, Volexity reported that the group had compromised an unnamed internet service provider and used DNS poisoning to distribute malicious software updates to targets of interest.

Kaspersky framed the campaign as part of a wider pattern among China-aligned clusters that have leveraged AitM poisoning for initial access and lateral movement. ESET has previously listed multiple groups using similar techniques, including LuoYu, BlackTech, TheWizards APT, Blackwood, PlushDaemon and FontGoblin.

"The Evasive Panda threat actor has once again showcased its advanced capabilities, evading security measures with new techniques and tools while maintaining long-term persistence in targeted systems," Kaspersky said in its report.

The vendor's findings underscore both the continued use of DNS-based manipulation in targeted espionage operations and the lengths to which operators will go to tailor payload delivery and complicate forensic analysis.

Key Topics

Evasive Panda, Dns Poisoning, Mgbot Backdoor, Adversary-in-the-middle (aitm), Targeted Cyber Espionage, Trojanized Software Updaters, Per-victim Shellcode Encryption, Multi-stage Loader Chain, Dpapi-rc5 Hybrid Encryption, Libpython2.4.dll Sideloading, Svchost Injection, Credential And Keystroke Theft