Chinese APT Group Evasive Panda Uses DNS Poisoning to Deploy MgBot Backdoor in Targeted Cyberespionage Campaign

The Chinese Advanced Persistent Threat (APT) group, Evasive Panda (also known as Daggerfly, Bronze Highland, or StormBamboo), has been identified by Kaspersky researchers as conducting a targeted cyberespionage campaign using DNS poisoning to deploy the MgBot backdoor. The campaign has targeted victims in Turkey, China, and India. DNS poisoning involves manipulating DNS responses to redirect requests to malicious servers, which then install the MgBot backdoor on the compromised systems. This technique allows the attackers to maintain persistent access to the systems, enabling data exfiltration and further attacks. The use of DNS poisoning by an APT group highlights the continued evolution of attack techniques and underscores the importance of securing DNS infrastructure and monitoring for unusual DNS activity. Organizations should ensure robust endpoint protection and network monitoring to detect and respond to such threats. The targeting of victims in multiple countries suggests a broad interest in intelligence gathering, which could have geopolitical implications. Cybersecurity professionals should stay informed about the tactics, techniques, and procedures (TTPs) used by APT groups to effectively defend against these advanced threats.