China-Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver MgBot Malware

DNS poisoning has re‑emerged as a potent initial‑access vector, allowing threat actors to silently redirect legitimate traffic to malicious servers. In the Evasive Panda campaign, the group compromised DNS responses for domains masquerading as popular software updaters such as SohuVA and iQIYI. By manipulating resolver answers at the ISP or router level, the attackers ensured that only targeted victims received the malicious payload, dramatically reducing noise and increasing the likelihood of successful infection.

The technical sophistication of the operation extends beyond simple redirection. After the initial DNS‑poisoned request, a lightweight loader retrieves an encrypted PNG file, which is uniquely XOR‑encrypted per victim and further protected with a hybrid DPAPI‑RC5 scheme. This dual‑layer encryption prevents static analysis and network‑based detection, while a renamed Python DLL sideloads the second‑stage code into a legitimate svchost.exe process. The final MgBot implant offers a full suite of espionage tools—keylogging, clipboard harvesting, audio capture, and credential theft—making it a valuable asset for long‑term intelligence gathering.

For defenders, the campaign underscores the need for multi‑layered DNS security, including DNSSEC deployment, strict resolver hygiene, and continuous monitoring for anomalous DNS query patterns. Organizations should also enforce application whitelisting and verify the authenticity of software updates through digital signatures. As nation‑state actors continue to refine DNS‑based delivery mechanisms, proactive network segmentation and rapid incident response become essential to mitigate the risk of stealthy, persistent threats like MgBot.