A new campaign using DNS poisoning to deliver the MgBot backdoor targeting organizations in India, Türkiye, and China.

 Daily Threat Intel by CyberDudeBivash
Zero-days, exploit breakdowns, IOCs, detection rules & mitigation playbooks.

Follow on LinkedInApps & Security ToolsCYBERDUDEBIVASH PVT LTD

In late December 2025, security researchers at Kaspersky and ESET unmasked a sophisticated, multi-year cyberespionage campaign by the China-linked threat actor Evasive Panda (also known as Daggerfly, Bronze Highland, and StormBamboo).¹

The campaign, which ran from November 2022 to November 2024, utilized a rare Adversary-in-the-Middle (AitM) technique involving DNS poisoning to hijack software updates and deliver the group’s flagship modular malware: MgBot.²

---

1. The “DNS Poisoning” Mechanism

Unlike traditional phishing where a user clicks a bad link, this attack happens at the network infrastructure level. The attackers compromised routers or Internet Service Providers (ISPs) to intercept DNS requests.³

• The Lure: When a victim’s computer attempted to check for updates for legitimate Chinese software (such as Tencent QQ, iQIYI, or SohuVA), the poisoned DNS server redirected the request to an attacker-controlled server.⁴
• The Fake Update: The victim’s machine, believing it was talking to a trusted vendor, downloaded a malicious file named sohuva_update_...exe.⁵
• The “Dictionary” Trick: To fetch second-stage payloads, the malware made requests to dictionary[.]com. ⁶Because of the DNS poisoning, this legitimate domain resolved to a malicious IP that served encrypted shellcode disguised as a PNG image.⁷

---

2. The Multi-Stage Payload (MgBot)⁸

Once the fake update is executed, it kicks off a highly stealthy, multi-stage infection process designed to bind the malware to that specific machine.⁹

1. Initial Loader: A C++ loader that checks the Windows version and system environment.¹⁰
2. Hybrid Encryption: The malware uses a combination of Microsoft’s DPAPI and the RC5 algorithm.¹¹ This ensures that the malware can only be decrypted and run on the specific system it first infected, making it nearly impossible for researchers to analyze in a sandbox.
3. DLL Sideloading: It uses a legitimate, signed executable (often an old version of python.exe renamed to evteng.exe) to load a malicious library (libpython2.4.dll).¹²
4. The MgBot Implant: The final stage is injected directly into a legitimate Windows process (svchost.exe).¹³ MgBot is modular, meaning it can “hot-swap” plugins to perform specific tasks.¹⁴+1

---

3. MgBot Capability & Targeting

MgBot is one of the most comprehensive espionage toolkits in the Chinese APT arsenal. Its plugins are specialized for deep data exfiltration:

Plugin Name	Primary Function
Kstrcs	Keylogging (captures every keystroke).
Sebasek	Targeted file stealer (hunts for specific extensions).
Cbmrpa	Clipboard monitor (steals copied passwords/text).
PRsm	Audio stream capture (records microphone/calls).
qmsdp / wcdbcrk15	Database stealers for Tencent QQ and WeChat.16

Targeted Regions: The 2022–2024 wave specifically focused on organizations and individuals in India, Türkiye, and China, with some infections remaining undetected for over a year.¹⁷

---

4. Defender’s Checklist

To defend against Evasive Panda’s AitM tactics, organizations should:

• Audit DNS Responses: Use DNSSEC to ensure that DNS responses are authenticated and have not been tampered with.
• Monitor for Side-Loading: Set alerts for legitimate binaries (like evteng.exe) running from unusual directories like C:\ProgramData\Microsoft\eHome\.
• Scrutinize Update Packages: If an update for a common app arrives via an unencrypted HTTP connection or from an unexpected IP range, treat it as a high-threat event.¹⁸
• Rotate Credentials: Because MgBot targets browser-stored credentials and messaging databases, any suspected victim must perform a total credential reset across all platforms.