BLUF

The Evasive Panda (APT) group is using a sophisticated "adversary-in-the-middle" technique involving DNS poisoning to deliver the MgBot backdoor into targeted systems, maintaining stealthy, long-term persistence in critical infrastructure sectors.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by confirmed or suspected Evasive Panda (MgBot) compromise via DNS poisoning:

• Low-end total cost: $1.5M – $2M
  (Early detection, limited dwell time, minimal data exposure)

• Typical expected range: $2.5M – $4M

• Upper-bound realistic scenarios: $5M – $7M
  (Extended persistence, sensitive sector exposure, and regulatory follow-on actions)

Key cost driver:

Costs are driven less by system outage and more by assurance and trust restoration. DNS poisoning and adversary-in-the-middle techniques undermine confidence in core infrastructure and software update mechanisms, forcing organizations to invest heavily in forensic validation, governance review, and long-term control improvements even when visible damage appears limited.

Targeted Sectors

·         Military

·         Aerospace

·         Defense

·         Research InstitutionsCritical infrastructure

·         Potentially the software supply chain through third-party vendors

Countries

·         China (mainland, Hong Kong, Macao)

·         India

·         Nigeria

·         Taiwan

·         Myanmar

·         The Philippines

·         Vietnam

·         South Korea

·         Malaysia

·         Africa (telecommunications providers)

·         Australia

·         The United States

Date of First Reported Activity

·         November 2022 (campaign started).

Date of Last Reported Activity Update

·         December 29, 2025

APT Names

·         Evasive Panda (Primary name).

o   Bronze Highland

o   Daggerfly

o   StormBamboo.

Associated Criminal Organization Names

·         Not applicable

IOCs

File Paths

·         Threat actors utilized various file paths, including locations within C:\ProgramData\Microsoft\

Temporary directories for persistence and execution. Examples include

·         C:\ProgramData\Microsoft\MF

·         %ProgramData%\Microsoft\PlayReady\dbengin.exe

Presence of specific DLL files used for DLL sideloading

Tools Used in Campaign

·         MgBot (custom in-memory backdoor/implant).

·         Custom loader/injector

·         Legitimate, signed executables (abused for DLL sideloading).

CVEs and CVSS Vectors

There are no specific CVEs mentioned for this campaign

It relies on

·         Living off the land

·         DLL sideloading

·         DNS manipulation

Nessus ID

·         Not applicable

Mitigation

·         Implement robust network segmentation and DNS monitoring

·         Enforce principle of least privilege

·         Monitor for unusual process behavior

o   Example unexpected network connections from legitimate processes

Malware Names

·         MgBot

Malware Samples

Main module exhibiting extensive modification

includes new logic for system file listing and audio recording.

sha256

fce66c26deff6a5b7320842bc5fa8fe12db991efe6e3edc9c63ffaa3cc5b8ced 

URL link to sha256

·         hxxps://www.virustotal.com/gui/file/fce66c26deff6a5b7320842bc5fa8fe12db991efe6e3edc9c63ffaa3cc5b8ced

A related multi-platform red team framework (ProjectGeass) often linked to similar espionage toolsets.

sha256

cca5df85920dd2bdaaa2abc152383c9a1391a3e1c4217382a9b0fce5a83d6e0b

URL link to sample

·         hxxps://www.virustotal.com/gui/file/cca5df85920dd2bdaaa2abc152383c9a1391a3e1c4217382a9b0fce5a83d6e0b

TTPs

Initial Access

·         T1557.002 Adversary-in-the-Middle

o   DNS Poisoning: Observed in late 2025 campaigns to poison DNS requests and redirect legitimate software update traffic to attacker-controlled servers.

·         T1195.002 Supply Chain Compromise

o   Compromised Software Supply Chain: Hijacks update channels of legitimate Chinese applications (e.g., Tencent QQ, SohuVA) to deliver malicious installers.

·         T1189 Drive-by Compromise

o   Leverages compromised websites as watering holes to target specific user groups, such as religious organizations.

Execution

·         T1059.003 Command and Scripting Interpreter

o   Windows Command Shell: Executes shellcode in memory to maintain a low footprint.

·         T1129 Shared Modules

o   Uses a modular C++ architecture where the core implant loads specific DLL plugins to perform specialized tasks.

Persistence & Privilege Escalation

·         T1574.002 Hijack Execution Flow

o   DLL Side-Loading: Injects malicious code into the memory space of signed, legitimate executables to maintain stealth.

·         T1055 Process Injection

o   Employs a custom injector to run MgBot within legitimate system processes.

Defense Evasion

·         T1027 Obfuscated Files or Information

o   Features self-modifying code that alters sections during runtime to defeat static analysis.

·         T1497.001 Virtualization/Sandbox Evasion

o   System Checks: Detects virtualization environments by searching for specific DLLs (e.g., vmhgfs.dll, sbiedll.dll) and enters an infinite loop if found.

·         T1140 Deceptive Code/Data

o   Uses hybrid encryption and per-victim unique implants to complicate signature-based detection.

Discovery

·         T1087 Account Discovery

o   Modules identify local and domain administrator accounts for further lateral movement.

·         T1018 Remote System Discovery

o   Scans the local network (via ARP) to map connected systems.

·         T1046 Network Service Discovery

o   Scans for open HTTP and server services on the network.

Collection & Exfiltration

·         T1056.001 Input Capture: Keylogging

o   Includes a dedicated keylogger plugin (kstrcs.dll) tailored for monitoring chat applications like Tencent QQ.

·         T1123 Audio Capture

o   Records both input and output audio via specialized modules (pRsm.dll).

·         T1555.003 Credentials from Password Stores: Web Browsers

o   Steals credentials from Chrome, Firefox, and Edge, as well as email clients like Outlook.

·         T1213.002 Data from Information Repositories: Sharepoint

o   Targets message histories in social and communication platform databases.

·         T1041 Exfiltration Over C2 Channel

o   Uses raw TCP/UDP or HTTP protocols to send compressed data (often using aPLib) to the C2.

Suggested rules / potential hunts

As a reminder these are indicator rules they are likely to be noisy.

For best results review data through a data model/ daily report.

Suggested Suricata Rules

alert udp any 53 -> any any (msg:"Potential Evasive Panda DNS query to known bad domain"; flow:established; content:"[domain_name]"; fast_pattern; classtype:trojan-activity; sid:XXXXXXXX; rev:1;)

Suggested SentinelOne Rules

Suspicious Credential Access

event.type == "File Modification" AND src.process.name != "firefox.exe" AND src.process.name != "chrome.exe" AND src.process.name != "filezilla.exe" AND tgt.file.path contains:anycase("AppData\\Local\\Google\\Chrome\\User Data\\*Login Data*", "AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*logins.json*", "AppData\\Roaming\\FileZilla\\sitemanager.xml") (Tune for specific application paths and legitimate processes)

Unusual Outbound Network Traffic

event.type == "Network Connection" AND (tgt.ip.address NOT in trusted_ip_list OR tgt.domain NOT in trusted_domain_list) AND network.bytes_sent > 10000000 (This requires a well-maintained list of trusted IPs/domains and threshold tuning).

Unauthorized System Configuration Changes

event.type == "Registry Modification" AND tgt.registry.key contains:anycase("Run", "RunOnce") AND src.process.name contains:anycase("mgbot", "macma") (Using process names for high confidence, or broader key-word hunts for "unknown" persistence mechanisms)

Hunt for Specific File Hashes

event.type == "File Creation" AND tgt.file.hash in ("known_mgbot_hash_here", "another_hash_here").

Hunt for Known MgBot TTPs

Data Staging

Query

event.type == "File Creation" AND tgt.file.extension contains:anycase("zip", "rar", "7z") AND tgt.file.path contains:anycase("temp", "appdata") AND tgt.file.size > 10000000 (Tune size/path for your environment).

Process Command Line Analysis

Search for unusual command-line arguments

event.type == "Process Creation" AND src.process.cmdline contains:anycase("powershell -ExecutionPolicy Bypass", "cmd.exe /c", "wscript.exe") combined with other suspicious activity

DNS Anomalies

MgBot uses C2 servers. Look for unusual DNS requests or requests to known malicious domains.

event.type == "Dns Request" AND dns.request.domain contains:anycase("suspiciousmgbotc2.com", "anotherbadsite.xyz") or dns.request.domain not in trusted_domains_list with a threshold on volume

Suggested Splunk Hunts

index=* source=* EventCode=7 OR EventCode=4688 "MgBot" OR "EvasivePanda"

index=* source=* (DNS Request) | where query IN ("badactor[.]com", "c2server[.]net") | stats count by host, query

Delivery Method

·         Adversary-in-the-middle (AiTM) attacks, DNS poisoning to drop loaders.

Email Samples

·         Not applicable, the delivery method is a network-based attack.

References

SecureList

·         hxxps://securelist.com/evasive-panda-apt/118576/

Security Affairs

·         hxxps://securityaffairs.com/186213/apt/evasive-panda-cyberespionage-campaign-uses-dns-poisoning-to-install-mgbot-backdoor.html

Threat Radar

·         hxxps://radar.offseq.com/threat/china-linked-evasive-panda-ran-dns-poisoning-campa-de4fd13f

The Hacker News

·         hxxps://thehackernews.com/2025/12/china-linked-evasive-panda-ran-dns.html

Malware News

hxxps://malware.news/t/evasive-panda-apt-poisons-dns-requests-to-deliver-mgbot/102815

VirusTotal

·         hxxps://www.virustotal.com/gui/file/fce66c26deff6a5b7320842bc5fa8fe12db991efe6e3edc9c63ffaa3cc5b8ced

hxxps://www.virustotal.com/gui/file/cca5df85920dd2bdaaa2abc152383c9a1391a3e1c4217382a9b0fce5a83d6e0b