top of page
perceptive_background_267k.jpg

China-Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver MgBot Malware

Published:

26 December 2025 at 14:44:00

Alert date:

26 December 2025 at 16:02:17

Source:

thehackernews.com

Click to open the original link from this advisory

Network Infrastructure, Ransomware & Malware, Data Breach & Exfiltration

China-linked APT group Evasive Panda conducted a highly-targeted cyber espionage campaign using DNS poisoning techniques to deliver MgBot backdoor malware. The campaign targeted victims in Turkey, China, and India between November 2022 and November 2024. The threat actor poisoned Domain Name System requests as part of their attack methodology. Kaspersky attributed this activity to the Evasive Panda group, demonstrating advanced persistent threat capabilities. The campaign represents a sophisticated supply chain-style attack using DNS infrastructure manipulation.

Technical details

Evasive Panda conducted DNS poisoning attacks to deliver MgBot malware through adversary-in-the-middle (AitM) attacks. The campaign used fake software updates for legitimate applications like SohuVA, iQIYI Video, IObit Smart Defrag, and Tencent QQ. The attack chain involves: 1) DNS poisoning to redirect legitimate domains to attacker-controlled servers, 2) Delivery of initial loader through fake updates, 3) First-stage shellcode fetches encrypted second-stage payload disguised as PNG image from dictionary.com via DNS poisoning, 4) Secondary loader (libpython2.4.dll) uses renamed python.exe for DLL sideloading, 5) Payload decrypted from C:\ProgramData\Microsoft\eHome\perf.dat using custom DPAPI and RC5 encryption, 6) Final MgBot backdoor injected into legitimate svchost.exe process. The malware generates unique encrypted payloads per victim and adapts based on Windows version.

Mitigation steps:

Monitor DNS traffic for suspicious resolutions of legitimate domains to unexpected IP addresses. Implement DNS monitoring and filtering solutions. Monitor for DLL sideloading activities involving python.exe and libpython2.4.dll. Watch for suspicious file creation in C:\ProgramData\Microsoft\eHome\perf.dat. Monitor svchost.exe processes for code injection. Implement network segmentation and monitor for AitM attacks. Verify software updates through official channels and implement application whitelisting. Monitor for suspicious PNG file downloads that may contain encrypted payloads.

Affected products:

SohuVA video streaming service
Baidu iQIYI Video
IObit Smart Defrag
Tencent QQ
Windows operating systems
DNS infrastructure
Internet Service Providers (ISPs)

Related links:

https://thehackernews.com/2024/10/chinese-hackers-use-cloudscout-toolset.html
https://securelist.com/evasive-panda-apt/118576/
https://thehackernews.com/2023/04/chinese-hackers-using-mgbot-malware-to.html
https://thehackernews.com/2024/08/china-linked-hackers-compromise-isp-to.html
https://www.cloudflare.com/learning/dns/dns-cache-poisoning/
https://thehackernews.com/2025/11/edgestepper-implant-reroutes-dns.html
https://thehackernews.com/2024/07/chinese-hackers-target-taiwan-and-us.html

Related CVE's:

Related threat actors:

IOC's:

p2p.hd.sohu.com[.]cn, dictionary[.]com (compromised), libpython2.4.dll, C:\ProgramData\Microsoft\eHome\perf.dat, svchost.exe (injection target), appdata\roaming\shapp\7.0.18.0\package

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page