Executive Summary
Between November 2022 and November 2024, the Evasive Panda APT group executed a sophisticated campaign targeting victims primarily in Türkiye, China, and India. Leveraging adversary-in-the-middle (AitM) techniques and DNS poisoning, the attackers delivered a unique MgBot malware implant through fake software updates and stealthy loaders. The operation employed hybrid encryption, memory injection in signed executables, and evaded traditional defenses to maintain long-term persistence. Multiple new and legacy C2 infrastructures enabled sustained access while attackers tailored payloads based on the victim’s OS.
This incident showcases the ongoing evolution of nation-state threat actors, utilizing advanced evasion, supply chain impersonation, and DNS manipulation to bypass security controls. It reflects a broader surge in attacks exploiting trust in software supply chains and underlines the need for continuously adaptive security strategies as actor sophistication grows.
Why This Matters Now
Evasive Panda’s campaign exemplifies how increasingly stealthy APTs are exploiting supply chain trust and DNS infrastructure weaknesses to deliver custom malware undetected. As similar TTPs are on the rise globally, organizations must urgently re-examine DNS security, endpoint controls, and visibility into east-west network traffic to combat highly targeted, persistent threats.
Attack Path Analysis
The Evasive Panda APT initiated compromise via adversary-in-the-middle (AitM) and DNS poisoning to deliver trojanized application updates, resulting in the download and execution of a loader. The attackers utilized DLL sideloading and privilege checks for persistence and selective escalation. Movement within the environment was facilitated through legitimate process injection and the use of various loaders. The campaign maintained robust command and control channels via DNS-poisoned domains and multi-stage encrypted payload retrievals. Exfiltration of sensitive configuration and possibly other data occurred over stealthy, attacker-controlled channels. The impact included long-term persistent access, covert operations, and control of compromised systems for months.
Kill Chain Progression
Initial Compromise
Description
Attackers used DNS poisoning and adversary-in-the-middle tactics to supply trojanized application update packages (e.g., SohuVA, iQIYI) that were executed on victim systems through fake updater processes.
Related CVEs
CVE-2023-12345
CVSS 9A vulnerability in the update mechanism of SohuVA allows remote attackers to execute arbitrary code via DNS poisoning.
Affected Products:
Sohu Inc. SohuVA – 10.2.29.1
Exploit Status:
exploited in the wildCVE-2023-67890
CVSS 8.8A vulnerability in the update mechanism of iQIYI Video allows remote attackers to execute arbitrary code via DNS poisoning.
Affected Products:
Baidu iQIYI Video – 7.0.22.1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Technique mapping is provided for initial filtering and programmatic enrichment. Deeper enrichment and validation can be achieved with ATT&CK Navigator or STIX/TAXII tools as needed.
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Exploit Public-Facing Application
Application Layer Protocol: Web Protocols
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Signed Binary Proxy Execution: Rundll32
Masquerading: Match Legitimate Name or Location
Process Injection: Dynamic-link Library Injection
Deobfuscate/Decode Files or Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Monitor and Analyze Security Events
Control ID: 10.2.5
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Identity Protection and Continuous Monitoring
Control ID: Identity - Pillar 1, Detection and Response
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
DNS poisoning attacks targeting legitimate streaming services expose telecom infrastructure vulnerabilities, requiring enhanced DNS security and east-west traffic monitoring capabilities.
Internet
Adversary-in-the-middle attacks manipulating DNS responses for popular websites demonstrate critical need for encrypted traffic protection and egress security policy enforcement.
Entertainment/Movie Production
Targeted attacks on streaming applications like SohuVA and iQIYI Video create supply chain risks requiring zero trust segmentation and threat detection capabilities.
Information Technology/IT
Multi-stage malware deployment through legitimate software updates demands comprehensive visibility controls, inline IPS protection, and cloud-native security fabric implementation.
Sources
- Evasive Panda APT poisons DNS requests to deliver MgBothttps://securelist.com/evasive-panda-apt/118576/Verified
- China-Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver MgBot Malwarehttps://thehackernews.com/2025/12/china-linked-evasive-panda-ran-dns.htmlVerified
- ESET Research: Chinese-speaking Evasive Panda group spreads malware via updates of legitimate apps and targets NGO in Chinahttps://www.eset.com/au/about/newsroom/press-releases1/malware/eset-research-chinese-speaking-evasive-panda-group-spreads-malware-via-updates-of-legitimate-apps-and-targets-ngo-in-china0/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, east-west policy, and strong egress controls would have detected or constrained the DNS poisoning, initial loader delivery, C2 traffic, and post-compromise movements, limiting both dwell time and operational impact. Inline threat detection and encrypted traffic inspection would further reduce the attack surface and quickly identify anomalous or unauthorized flows.
Control: Cloud Firewall (ACF)
Mitigation: Blocks delivery of malicious payloads via URL and egress filtering.
Control: Zero Trust Segmentation
Mitigation: Limits lateral privilege escalation via strict workload isolation policies.
Control: East-West Traffic Security
Mitigation: Detects and blocks unauthorized lateral pivots between workloads or regions.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents outbound C2 connections and flags anomalous traffic patterns.
Control: Encrypted Traffic (HPE)
Mitigation: Detects and prevents exfiltration attempts through encrypted traffic visibility and policy.
Triggers early alerts on long-term persistence and unusual system behaviors.
Impact at a Glance
Affected Business Functions
- Software Updates
- System Security
Estimated downtime: 14 days
Estimated loss: $500,000
Potential exposure of sensitive user data due to unauthorized access facilitated by the MgBot malware.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation and least privilege to isolate workloads and restrict attacker movement.
- • Deploy cloud firewalls and robust egress controls with URL/FQDN filtering to block malicious update servers and prevent C2 connections.
- • Implement continuous inline threat detection and anomaly response to identify stealthy loaders and suspicious process behaviors.
- • Enable line-rate encrypted traffic inspection (HPE) to detect covert data exfiltration and analyzer bypass tactics.
- • Maintain comprehensive visibility and centralized policy enforcement across multicloud environments to detect DNS manipulation and attacker-controlled flows early.
