Kaspersky has attributed a highly targeted cyber espionage campaign to a China-linked advanced persistent threat tracked as Evasive Panda, saying the group used poisoned Domain Name System (DNS) responses to deliver an MgBot backdoor to victims in Türkiye, China and India between November 2022 and November 2024.
Kaspersky researcher Fatih Şensoy said the actor mainly performed adversary-in-the-middle (AitM) attacks on specific victims, dropping loaders in chosen locations and storing encrypted parts of malware on attacker-controlled servers that were resolved only in response to particular website DNS requests.
Security vendors have previously reported similar DNS poisoning activity by China-aligned groups. Volexity disclosed a campaign in 2024 that used DNS manipulation to push malicious updates, and ESET recently said it is tracking a number of China-based clusters that have leveraged AitM poisoning for initial access or lateral movement. The technique is commonly described as a DNS poisoning attack.
Kaspersky said attackers used lures masquerading as legitimate updaters for third-party software—examples include SohuVA, Baidu iQIYI, IObit Smart Defrag and Tencent QQ—and served malicious updates from domains such as “p2p.hd.sohu.com[.]cn.” The company also reported the actor manipulated the IP address associated with dictionary[.]com so requests resolved to attacker-controlled servers depending on a victim’s geography and internet service provider.
The intrusion chain described by Kaspersky begins with an initial loader that launches shellcode to fetch an encrypted second-stage payload (delivered as a PNG file), and the HTTP request for that stage includes the Windows version number. A secondary loader, “libpython2.4.dll,” relies on a renamed older “python.exe” to sideload and then reads a file named C:\ProgramData\Microsoft\eHome\perf.dat to obtain a decrypted payload. Kaspersky said the attackers used a custom process combining Microsoft DPAPI and RC5 to bind decryption to the specific host; the final payload is an MgBot variant injected into svchost.exe that can harvest files, log keystrokes, capture audio and steal browser credentials.
Kaspersky noted it is not yet known how the actor is poisoning DNS responses; investigators suspect either selective compromise of ISPs or that routers or firewalls used by victims were hacked. The vendor said the campaign demonstrates the group’s ability to evade detection and maintain long-term persistence in targeted systems.