MgBot backdoor delivery and injection via secondary loader
Malware Activity
Summary
Hide ▲
Show ▼
The MgBot backdoor was delivered through a secondary loader and injected into svchost.exe, giving operators a stealthy foothold on infected systems. The payload supports credential theft, keystroke logging, clipboard capture, and audio recording. That behavior makes the malware suitable for long-term espionage and silent data collection. The delivery chain also used sideloading and encrypted staging to reduce detection.
Related Happenings
Evasive Panda DNS poisoning MgBot espionage campaign
Campaign
First: 26.12.2025 16:44
Last: 26.12.2025 16:44
Sources 1
How related:
A China-linked advanced persistent threat (APT) group has been attributed to a highly-targeted cyber espionage campaign in which the adversary poisoned Domain Name System (DNS) requests to deliver its signature MgBot backdoor in attacks targeting victims in Türkiye, China, and India.
About this happening:
**Evasive Panda** ran a **highly targeted cyber espionage campaign** that used **DNS poisoning** to deliver **MgBot** to victims in **Türkiye, China, and India**. The operation wa...
Evasive Panda DNS poisoning MgBot espionage campaign
CampaignHow related: A China-linked advanced persistent threat (APT) group has been attributed to a highly-targeted cyber espionage campaign in which the adversary poisoned Domain Name System (DNS) requests to deliver its signature MgBot backdoor in attacks targeting victims in Türkiye, China, and India.
About this happening: **Evasive Panda** ran a **highly targeted cyber espionage campaign** that used **DNS poisoning** to deliver **MgBot** to victims in **Türkiye, China, and India**. The operation wa...
UDPGangster backdoor deployed by MuddyWater
Malware Activity
First: 08.12.2025 08:46
Last: 08.12.2025 08:46
Sources 1
About this happening:
The **MuddyWater** group has deployed **UDPGangster**, a new backdoor that uses **UDP C2** to control compromised systems and expand post-compromise access. The malware can **exec...
UDPGangster backdoor deployed by MuddyWater
Malware ActivityAbout this happening: The **MuddyWater** group has deployed **UDPGangster**, a new backdoor that uses **UDP C2** to control compromised systems and expand post-compromise access. The malware can **exec...
Kimsuky HttpTroy backdoor activity against South Korean users
Malware Activity
First: 05.11.2025 04:00
Last: 05.11.2025 04:00
Sources 1
About this happening:
**Kimsuky** has deployed the **HttpTroy** backdoor against **South Korean users**, expanding a multi-stage infection chain that is designed to evade detection. The malware gives o...
Kimsuky HttpTroy backdoor activity against South Korean users
Malware ActivityAbout this happening: **Kimsuky** has deployed the **HttpTroy** backdoor against **South Korean users**, expanding a multi-stage infection chain that is designed to evade detection. The malware gives o...
ScoringMathTea RAT final-stage activity
Malware Activity
First: 23.10.2025 15:38
Last: 23.10.2025 15:38
Sources 1
About this happening:
The **ScoringMathTea RAT** now appears as the final-stage payload in a **Lazarus** infection chain, giving attackers **remote access** and C2-driven control over victim systems. T...
ScoringMathTea RAT final-stage activity
Malware ActivityAbout this happening: The **ScoringMathTea RAT** now appears as the final-stage payload in a **Lazarus** infection chain, giving attackers **remote access** and C2-driven control over victim systems. T...
UTA0388 spear-phishing campaign delivering GOVERSHELL
Campaign
First: 09.10.2025 20:19
Last: 09.10.2025 20:19
Sources 1
About this happening:
A **China-aligned** actor, **UTA0388**, is running a **spear-phishing campaign** across **North America, Asia, and Europe** to deliver the **GOVERSHELL** implant. The operation ma...
UTA0388 spear-phishing campaign delivering GOVERSHELL
CampaignAbout this happening: A **China-aligned** actor, **UTA0388**, is running a **spear-phishing campaign** across **North America, Asia, and Europe** to deliver the **GOVERSHELL** implant. The operation ma...
Timeline
-
26.12.2025 16:44 2 articles · 5mo ago
Evasive Panda DNS-poisoning campaign delivers MgBot
Technical Analysis UpdateEvasive Panda, also tracked as Bronze Highland, Daggerfly, and StormBamboo, was linked to a China-connected espionage campaign that used DNS poisoning, adversary-in-the-middle interception, and fake software-update lures to deliver the MgBot backdoor to victims in Türkiye, China, and India. The activity was observed between November 2022 and November 2024 and included SohuVA, iQIYI Video, IObit Smart Defrag, Tencent QQ, dictionary[.]com redirection, loader sideloading with libpython2.4.dll and python.exe, perf.dat staging, and MgBot injection into svchost.exe.
Show sources
- China-Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver MgBot Malware — thehackernews.com — 26.12.2025 16:44
- China-Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver MgBot Malware — thehackernews.com — 26.12.2025 16:44