Executive Summary
Between November 2022 and November 2024, the China-linked Evasive Panda APT group conducted a sophisticated cyber espionage campaign targeting entities in Türkiye, China, and India. The attackers leveraged DNS poisoning techniques to redirect requests for popular software updates (such as SohuVA and Tencent QQ) to attacker-controlled infrastructure. Through adversary-in-the-middle attacks, victims received trojanized loaders, which proceeded to fetch and decrypt highly targeted MgBot backdoors. The attack chain involved supply chain and AitM vectors, advanced encryption and obfuscation methods, and allowed persistent compromise and broad data theft, including keylogging and credential exfiltration.
This campaign highlights the growing sophistication of APT operations exploiting core network infrastructure such as DNS to evade perimeter defenses. The increased prevalence of similar DNS-manipulation campaigns and targeted malware delivery emphasizes the urgent need for robust segmentation, encrypted traffic, and thorough network and endpoint visibility.
Why This Matters Now
This incident underscores the urgent risk of supply chain and DNS-based attacks, particularly as adversaries increasingly exploit service provider infrastructure and encrypted traffic for long-term persistence and data exfiltration. With more organizations moving to hybrid and multi-cloud architectures, advanced APT techniques targeting foundational network protocols are particularly relevant and require updated controls.
Attack Path Analysis
The attack began with Evasive Panda poisoning DNS responses at the network edge to redirect update requests from legitimate software to attacker-controlled infrastructure, enabling them to deliver a trojanized loader. The attackers then sideloaded malicious DLLs and custom shellcode to escalate persistence on the victim endpoints. Through internal pivoting and runtime payload decryption, they maintained stealth and moved within the compromised environments. Command and control was achieved through covert DNS and HTTP channels to fetch second-stage payloads and exfiltrate telemetry. Key files and keystrokes were exfiltrated using encrypted channels and fileless methods. The persistent MgBot implant allowed the group to harvest credentials, maintain long-term access, and collect sensitive data from the victim organizations.
Kill Chain Progression
Initial Compromise
Description
Attackers compromised ISP or edge infrastructure to poison DNS responses and redirect legitimate application updates to attacker-controlled servers, resulting in download and execution of malicious loaders on victim devices.
Related CVEs
CVE-2023-XXXX
CVSS 8.8A vulnerability in the update mechanism of SohuVA allows remote attackers to execute arbitrary code via DNS poisoning.
Affected Products:
Sohu SohuVA – 7.0.18.0
Exploit Status:
exploited in the wildCVE-2023-YYYY
CVSS 8.8A vulnerability in the update mechanism of iQIYI Video allows remote attackers to execute arbitrary code via DNS poisoning.
Affected Products:
Baidu iQIYI Video – 7.0.18.0
Exploit Status:
exploited in the wildCVE-2023-ZZZZ
CVSS 8.8A vulnerability in the update mechanism of Tencent QQ allows remote attackers to execute arbitrary code via DNS poisoning.
Affected Products:
Tencent QQ – 7.0.18.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Browser Session Hijacking
Application Layer Protocol: DNS
Exploit Public-Facing Application
User Execution: Malicious File
Process Injection: Process Hollowing
Indicator Removal on Host: Timestomp
Data from Local System
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Monitor and Respond to Security Events
Control ID: 10.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Limit Lateral Movement and Network Trust
Control ID: Network: Micro-Segmentation
NIS2 Directive – Incident Prevention, Detection and Response
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
DNS poisoning via ISP compromise enables APT infiltration of telecom infrastructure, requiring zero trust segmentation and encrypted traffic monitoring capabilities.
Internet
Internet service providers face targeted DNS manipulation attacks allowing malware distribution through compromised network infrastructure and edge device exploitation.
Government Administration
State-sponsored APT campaigns targeting government entities through DNS poisoning demand enhanced threat detection, anomaly response, and multicloud visibility controls.
Information Technology/IT
IT sector vulnerable to supply chain compromises via trojanized software updates, requiring egress security enforcement and inline intrusion prevention systems.
Sources
- China-Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver MgBot Malwarehttps://thehackernews.com/2025/12/china-linked-evasive-panda-ran-dns.htmlVerified
- Kaspersky uncovers new targeted attacks by Evasive Panda aimed at Türkiye, China, and Indiahttps://www.kaspersky.com/about/press-releases/kaspersky-uncovers-new-targeted-attacks-by-evasive-panda-aimed-at-turkiye-china-and-indiaVerified
- ESET Research: Chinese-speaking Evasive Panda group spreads malware via updates of legitimate apps and targets NGO in Chinahttps://www.eset.com/au/about/newsroom/press-releases1/malware/eset-research-chinese-speaking-evasive-panda-group-spreads-malware-via-updates-of-legitimate-apps-and-targets-ngo-in-china0/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Network segmentation, egress policy enforcement, intrusion prevention, and encrypted traffic controls provided by a Cloud Network Security Framework would have hindered each stage of this attack—limiting initial compromise via poisoned updates, detecting lateral movement, enforcing encrypted east-west flows, and blocking data exfiltration even if initial access succeeded.
Control: Cloud Firewall (ACF)
Mitigation: Inbound and outbound requests to malicious domains would be blocked at the perimeter.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious workload behavior and unauthorized privilege escalation attempts would be detected in real time.
Control: Zero Trust Segmentation
Mitigation: Unauthorized east-west movement would be blocked by identity-based network segmentation.
Control: Inline IPS (Suricata)
Mitigation: Malicious C2 signatures would have been detected and blocked during real-time inspection.
Control: Egress Security & Policy Enforcement
Mitigation: Data loss would be restricted by granular egress controls and visibility.
Comprehensive visibility and centralized policy would minimize dwell time and support rapid remediation.
Impact at a Glance
Affected Business Functions
- Software Update Mechanisms
- User Data Security
Estimated downtime: 30 days
Estimated loss: $5,000,000
Potential exposure of sensitive user data, including personal information and credentials, due to malware infiltration via compromised software updates.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy Zero Trust Segmentation to restrict workload communication and prevent lateral movement.
- • Enforce strict cloud firewall policies with FQDN and application filtering to block malicious update and C2 domains.
- • Implement inline IPS and real-time anomaly detection to identify and stop exploitation and C2 traffic.
- • Mandate encrypted traffic for all sensitive data flows and enforce egress policies to block unauthorized outbound transfers.
- • Maintain continuous multicloud visibility and centralized control to rapidly detect, isolate, and remediate compromised assets.
