Evasive Panda APT leverages DNS hijacking and npm packages in targeted cyber espionage campaigns

The Evasive Panda APT group has been observed compromising DNS requests to distribute the MgBot malware through watering hole attacks, targeting organizations in strategic sectors. Concurrently, a spearphishing campaign exploiting the npm package registry has targeted American and allied entities in manufacturing and healthcare, deploying remote access tools via malicious packages. Additionally, the EmEditor supply chain compromise demonstrates the continuing risk of software update mechanisms being abused for malware distribution. These incidents highlight the evolving tactics of state-aligned threat actors, with DNS hijacking providing a stealthy initial access vector that bypasses traditional perimeter defenses. The use of legitimate package repositories like npm for malware distribution underscores the supply chain risks in modern software development ecosystems. While technical details remain partially undisclosed, the campaigns exhibit characteristics of cyber espionage rather than financially motivated crime. Organizations are advised to implement DNS traffic monitoring, package repository verification processes, and software update integrity checks as mitigation measures. The healthcare and manufacturing sectors should be particularly vigilant given their targeting in these campaigns.