Cybersecurity researchers have uncovered a sophisticated cyber-espionage campaign linked to a China-aligned threat group that used DNS poisoning to secretly infect targeted systems with advanced malware.
According to security firm Kaspersky, the campaign ran quietly between November 2022 and November 2024 and targeted users across China, Türkiye, and other regions. The attackers used a highly targeted approach, focusing on specific individuals rather than launching broad attacks.
The group behind the operation is known in the security community as Evasive Panda, also tracked under names such as Bronze Highland, Daggerfly, and StormBamboo. This group has been active for more than a decade and is known for using stealthy, long-term intrusion techniques.
How the Attack Worked
Instead of relying on phishing emails or obvious malware downloads, the attackers used a more advanced technique called DNS poisoning. This allowed them to secretly redirect legitimate software update requests to malicious servers under their control.
Once a victim attempted to update trusted software, the attackers intercepted the request and delivered a hidden backdoor known as MgBot. The malware was carefully disguised and installed without alerting the user.
Security researchers found that the attackers:
- Manipulated DNS responses to redirect traffic
- Used fake update servers that looked legitimate
- Deployed malware in stages to avoid detection
- Encrypted malicious payloads to bypass security tools
Software Used as a Delivery Channel
The attackers abused several legitimate applications as delivery vehicles, including:
- SohuVA (a video streaming application)
- Tencent QQ
- iQIYI Video
- IObit Smart Defrag
In one case, a fake update was delivered through a compromised domain related to a trusted software provider. When users attempted to update their software, they unknowingly downloaded malware instead.
Advanced Evasion Techniques
Investigators found that the malware used multiple layers of encryption and file obfuscation. Some payloads were disguised as image files or encrypted system data. In other cases, the malware dynamically adapted based on the victim’s operating system and environment.
The attackers also used a multi-stage loader that decrypted and executed additional components only after confirming the system met specific criteria. This made detection and analysis extremely difficult.
What the Malware Could Do
Once installed, the malware was capable of:
- Stealing sensitive files
- Logging keystrokes
- Capturing clipboard data
- Monitoring system activity
- Maintaining long-term persistence on infected systems
These capabilities allowed attackers to quietly spy on victims over extended periods.
Why This Matters
This campaign highlights how cybercriminals are increasingly targeting trusted software and infrastructure rather than relying on obvious scams. By abusing legitimate update mechanisms, attackers can bypass traditional security controls and operate undetected for long periods.
It also reinforces the importance of:
- Keeping systems and software updated from verified sources
- Monitoring network behavior, not just malware signatures
- Using endpoint protection capable of detecting advanced threats
- Treating unexpected software updates with caution
Final Thoughts
The Evasive Panda operation is another reminder that cyber threats continue to evolve in sophistication. Attacks are no longer limited to suspicious emails or malicious attachments—today’s threats can hide inside software people trust every day.
Staying informed, applying updates carefully, and using layered security protections remain the best defense against these advanced cyber campaigns.