552/68 Monday, December 29, 2025
Researchers from Kaspersky have disclosed the discovery of a highly sophisticated cyber-espionage campaign conducted by an advanced persistent threat (APT) group known as “Evasive Panda” (also referred to as Bronze Highland or StormBamboo), which has been linked to China. The operation took place between November 2022 and 2024, targeting victims in Turkey, China, and India. The attackers primarily relied on DNS poisoning techniques to manipulate network traffic and stealthily deliver backdoor-class malware to victim systems.
A key technical highlight of this campaign is the use of Adversary-in-the-Middle (AitM) techniques. The attackers intercepted and modified DNS responses for seemingly legitimate domains-such as Tencent software update servers and even dictionary[.]com-redirecting victims to attacker-controlled servers instead. Encrypted payloads were then delivered and written to a file named perf.dat on the victim’s system. The encryption scheme combined Windows DPAPI with the RC5 algorithm, ensuring that the payload could only be decrypted on the specific victim machine, effectively preventing offline analysis. The attackers then executed the malicious code using DLL sideloading via an outdated Python library.
The ultimate objective of the campaign was to deploy MgBot, a modular backdoor with extensive capabilities, including file exfiltration, keystroke logging, audio recording, and credential theft from web browsers. To remain hidden, the malware injected itself into the legitimate svchost.exe process. This discovery demonstrates that the Evasive Panda group continues to evolve its tooling and evasion techniques, and may even be collaborating with ISPs or compromising network routers to perform network-level DNS poisoning, allowing them to maintain long-term access to targeted environments.
Source https://thehackernews.com/2025/12/china-linked-evasive-panda-ran-dns.html
