China-Linked Evasive Panda APT Group Uses DNS Poisoning to Distribute MgBot Backdoor

The China-linked advanced persistent threat (APT) group, Evasive Panda, conducted a targeted espionage campaign between November 2022 and November 2024, employing DNS poisoning to distribute the MgBot backdoor. Targets were located in Turkey, China, and India, with the attack involving the poisoning of DNS requests to redirect traffic to malicious servers. According to Kaspersky, which attributed the activity to Evasive Panda, the technique enables stealthy malware distribution, a hallmark of advanced espionage operations. However, the specific impacts on compromised systems were not disclosed. DNS poisoning, also known as DNS spoofing, is a technique where attackers corrupt the DNS resolver cache to redirect traffic from legitimate servers to malicious ones. This method is particularly effective for distributing malware as it can be done without the victim's knowledge and can affect multiple users sharing the same DNS resolver. The use of DNS poisoning by Evasive Panda highlights the group's sophistication and focus on stealth. The MgBot backdoor is a piece of malware designed to provide remote access to infected systems, allowing attackers to steal data, execute commands, and maintain persistence within the target network. The use of such a backdoor in a targeted espionage campaign suggests that the attackers were interested in long-term access to sensitive information. The campaign was conducted over a period of two years, from November 2022 to November 2024. The targets of the campaign were located in Turkey, China, and India. From a cybersecurity perspective, this campaign underscores the ongoing threat posed by state-sponsored APT groups. The use of DNS poisoning as a distribution mechanism is particularly concerning, as it can bypass traditional security measures and is difficult to detect. Organizations in targeted regions should be vigilant in monitoring their DNS traffic for signs of tampering and should implement robust security measures to protect against such attacks. In conclusion, the Evasive Panda campaign serves as a reminder of the evolving tactics used by APT groups to achieve their objectives. The combination of DNS poisoning and the MgBot backdoor demonstrates a high level of technical sophistication and a focus on stealth and persistence. Cybersecurity professionals should take note of this campaign and ensure that their defenses are capable of detecting and mitigating such advanced threats.