Ethical Hacking News
The Evasive Panda group has launched a sophisticated DNS poisoning campaign, compromising systems in Turkey, China, and India. This campaign highlights the group's ability to adapt and evolve its tactics, staying one step ahead of security measures. The use of DNS poisoning and advanced encryption techniques makes it challenging for security researchers to detect and reverse-engineer the malware.
The Evasive Panda group has been executing a multi-year campaign compromising systems in Turkey, China, and India. The attackers have utilized stealthy delivery methods to spread malware without drawing attention to themselves. DNS poisoning is a key component of the campaign, allowing attackers to install the MgBot backdoor. The malware features sophisticated encryption techniques to evade analysis and security measures. The Evasive Panda group has demonstrated remarkable persistence and resources, maintaining its campaign for two years. The attackers continue to deploy updated configuration elements of the long-used MgBot implant, highlighting their focus on adaptability and maintenance.
The cybersecurity landscape has recently witnessed a significant development, as Kaspersky’s telemetry data revealed that the Evasive Panda group has been executing a multi-year campaign, compromising systems in Turkey, China, and India. This sophisticated threat actor has demonstrated remarkable persistence and resources, maintaining its campaign for two years (November 2022 to November 2024).
The attackers have utilized stealthy delivery methods, such as supply-chain compromise, adversary-in-the-middle attacks, and watering-hole tactics, to spread malware without drawing attention to themselves. These tactics are characteristic of the Evasive Panda group's modus operandi, which has been observed in previous campaigns.
A key component of the campaign is the use of DNS poisoning to install the MgBot backdoor. This technique involves compromising a domain name system (DNS) server, allowing attackers to redirect legitimate queries to their own servers, where they can intercept and inject malicious payloads. The use of DNS poisoning highlights the Evasive Panda group's ability to adapt and evolve its tactics, staying one step ahead of security measures.
The malware itself is highly sophisticated, featuring a secondary loader called libpython2.4.dll disguised as a legitimate Windows library. This loader runs through a signed executable, evteng.exe (an old python.exe), to load the malware stealthily. The loader saves its path in status.dat, likely to support future updates. It then decrypts the next stage from perf.dat, which holds payloads fetched via DNS poisoning.
The attackers repeatedly move and rename the payload, decrypt it with XOR, and re-encrypt it using a custom mix of DPAPI and RC5 to bind it to the infected system and evade analysis. This encryption technique is designed to make it difficult for security researchers to detect and reverse-engineer the malware.
Despite introducing new loaders, the attackers have continued to deploy the long-used MgBot implant with updated configuration elements. This suggests that the Evasive Panda group has a well-established framework for its operations, with a focus on maintaining persistence and adaptability.
The report concludes by noting that the Evasive Panda threat actor has once again showcased its advanced capabilities, evading security measures with new techniques and tools while maintaining long-term persistence in targeted systems. It is likely that other ongoing campaigns exist, and the introduction of new loaders may precede further updates to their arsenal.
This campaign highlights the importance of staying vigilant in the face of emerging threats. As threat actors continue to evolve and adapt, it is crucial for security professionals to stay informed about the latest tactics, techniques, and procedures (TTPs) employed by these groups.
Related Information:
https://www.ethicalhackingnews.com/articles/Evasive-Pandas-DNS-Poisoning-Campaign-A-Sophisticated-Threat-Actor-Expands-Its-Reach-ehn.shtml
https://securityaffairs.com/186213/apt/evasive-panda-cyberespionage-campaign-uses-dns-poisoning-to-install-mgbot-backdoor.html
https://thehackernews.com/2025/12/china-linked-evasive-panda-ran-dns.html
https://cybersecuritynews.com/evasive-panda-apt-using-aitm-attack/
Published: Mon Dec 29 03:00:12 2025 by llama3.2 3B Q4_K_M
