Find notable cyber news and cases, enriched with sources, timelines, and signals.

MgBot backdoor delivery and injection via secondary loader

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

The MgBot backdoor was delivered through a secondary loader and injected into svchost.exe, giving operators a stealthy foothold on infected systems. The payload supports credential theft, keystroke logging, clipboard capture, and audio recording. That behavior makes the malware suitable for long-term espionage and silent data collection. The delivery chain also used sideloading and encrypted staging to reduce detection.

Related Happenings

ESET analysis of SprySOCKS Windows variants adds IOC-backed detection guidance

Technical Analysis
H score34 First: 16.06.2026 12:00 Last: 16.06.2026 12:00 Sources 1

About this happening: **ESET** identified previously undocumented **Windows variants** of **SprySOCKS**, a backdoor attributed to **FishMonger** and linked to **I-Soon**. The **WIN_DRV** and **WIN_PLUS...

SPECTRALVIPER DLL sideloading backdoor activity

Malware Activity
H score31 First: 11.06.2026 12:45 Last: 11.06.2026 12:45 Sources 1

About this happening: The **SPECTRALVIPER** backdoor was executed on affected **Windows** hosts through a **DLL sideloading** chain during **October 2025 to March 2026**, giving operators a way to run...

Evasive Panda DNS poisoning MgBot espionage campaign

Campaign
H score33 First: 26.12.2025 16:44 Last: 26.12.2025 16:44 Sources 1

How related: A China-linked advanced persistent threat (APT) group has been attributed to a highly-targeted cyber espionage campaign in which the adversary poisoned Domain Name System (DNS) requests to deliver its signature MgBot backdoor in attacks targeting victims in Türkiye, China, and India.

About this happening: **Evasive Panda** ran a **highly targeted cyber espionage campaign** that used **DNS poisoning** to deliver **MgBot** to victims in **Türkiye, China, and India**. The operation wa...

UDPGangster backdoor deployed by MuddyWater

Malware Activity
H score22 First: 08.12.2025 08:46 Last: 08.12.2025 08:46 Sources 1

About this happening: The **MuddyWater** group has deployed **UDPGangster**, a new backdoor that uses **UDP C2** to control compromised systems and expand post-compromise access. The malware can **exec...

Kimsuky HttpTroy backdoor activity against South Korean users

Malware Activity
H score23 First: 05.11.2025 04:00 Last: 05.11.2025 04:00 Sources 1

About this happening: **Kimsuky** has been tied to fresh **March and April 2026** campaigns against **South Korean military and corporate entities**, using **fake security-software pages** and a **coun...

Timeline

  1. 26.12.2025 16:44 2 articles · 6mo ago

    Evasive Panda DNS-poisoning campaign delivers MgBot

    Technical Analysis Update

    Evasive Panda, also tracked as Bronze Highland, Daggerfly, and StormBamboo, was linked to a China-connected espionage campaign that used DNS poisoning, adversary-in-the-middle interception, and fake software-update lures to deliver the MgBot backdoor to victims in Türkiye, China, and India. The activity was observed between November 2022 and November 2024 and included SohuVA, iQIYI Video, IObit Smart Defrag, Tencent QQ, dictionary[.]com redirection, loader sideloading with libpython2.4.dll and python.exe, perf.dat staging, and MgBot injection into svchost.exe.

    Show sources