Evasive Panda APT poisons DNS requests to deliver MgBot

Description

The Evasive Panda APT group conducted highly-targeted campaigns from November 2022 to November 2024, employing adversary-in-the-middle attacks and DNS poisoning techniques. They developed a new loader that evades detection and uses hybrid encryption for victim-specific implants. The group utilized fake updaters for popular applications to deliver malware, including a multi-stage shellcode execution process. A secondary loader, disguised as a legitimate Windows library, was used to achieve stealthier loading. The attackers employed a custom hybrid encryption method combining DPAPI and RC5 to secure payloads. Victims were detected in Türkiye, China, and India, with some systems compromised for over a year. The campaign showcases the group's advanced capabilities and continuous improvement of tactics.