Evasive Panda Conducts DNS Poisoning Campaign to Deploy MgBot Malware

Timeline

1. 26.12.2025 16:44 1 articles · 23h ago

   Evasive Panda Conducts DNS Poisoning Campaign to Deploy MgBot Malware

   Between November 2022 and November 2024, the China-linked APT group Evasive Panda conducted a targeted cyber espionage campaign that utilized DNS poisoning to deliver the MgBot backdoor malware. The campaign targeted victims in Türkiye, China, and India, employing adversary-in-the-middle (AitM) techniques to drop loaders and store encrypted malware parts on attacker-controlled servers. The attackers used fake updates for third-party software such as SohuVA, Baidu's iQIYI Video, IObit Smart Defrag, and Tencent QQ to deliver the malware. The second-stage payload was delivered as a PNG image file and was unique to each victim to bypass detection. The malware used a custom encryption algorithm to complicate analysis and ensure persistence. MgBot is a modular implant capable of harvesting files, logging keystrokes, gathering clipboard data, recording audio streams, and stealing credentials from web browsers.

   Show sources

   • China-Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver MgBot Malware — thehackernews.com — 26.12.2025 16:44

   Open in new tab

Information Snippets

• Evasive Panda conducted a DNS poisoning campaign to deliver MgBot malware between November 2022 and November 2024.

  First reported: 26.12.2025 16:44
  1 source, 1 article
  Show sources

  • China-Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver MgBot Malware — thehackernews.com — 26.12.2025 16:44

• The campaign targeted victims in Türkiye, China, and India.

  First reported: 26.12.2025 16:44
  1 source, 1 article
  Show sources

  • China-Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver MgBot Malware — thehackernews.com — 26.12.2025 16:44

• The attackers used adversary-in-the-middle (AitM) techniques, including dropping loaders and storing encrypted malware parts on attacker-controlled servers.

  First reported: 26.12.2025 16:44
  1 source, 1 article
  Show sources

  • China-Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver MgBot Malware — thehackernews.com — 26.12.2025 16:44

• The malware was delivered through fake updates for third-party software such as SohuVA, Baidu's iQIYI Video, IObit Smart Defrag, and Tencent QQ.

  First reported: 26.12.2025 16:44
  1 source, 1 article
  Show sources

  • China-Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver MgBot Malware — thehackernews.com — 26.12.2025 16:44

• The campaign involved manipulating DNS responses to redirect victims to attacker-controlled servers.

  First reported: 26.12.2025 16:44
  1 source, 1 article
  Show sources

  • China-Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver MgBot Malware — thehackernews.com — 26.12.2025 16:44

• The second-stage payload was delivered as a PNG image file and was unique to each victim to bypass detection.

  First reported: 26.12.2025 16:44
  1 source, 1 article
  Show sources

  • China-Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver MgBot Malware — thehackernews.com — 26.12.2025 16:44

• The malware used a custom encryption algorithm to complicate analysis and ensure persistence.

  First reported: 26.12.2025 16:44
  1 source, 1 article
  Show sources

  • China-Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver MgBot Malware — thehackernews.com — 26.12.2025 16:44

• MgBot is a modular implant capable of harvesting files, logging keystrokes, gathering clipboard data, recording audio streams, and stealing credentials from web browsers.

  First reported: 26.12.2025 16:44
  1 source, 1 article
  Show sources

  • China-Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver MgBot Malware — thehackernews.com — 26.12.2025 16:44