216.73.217.139

Evasive Panda APT poisons DNS requests to deliver MgBot

· Published 24/12/2025 13:36 · Modified 24/12/2025 15:32

Export JSON

Essential information

Published
24/12/2025 13:36
Modified
24/12/2025 15:32
Tags
2025-12-24 aitm attacks apt dns poisoning fake updaters hybrid encryption mgbot multi-stage shellcode stealthy loader
Related entities
11 observables, 1 intrusion sets (apt), 12 techniques (mitre), 6 others

Description

The Evasive Panda group conducted highly-targeted campaigns from November 2022 to November 2024, employing adversary-in-the-middle attacks and techniques. They developed a new loader that evades detection and uses for victim-specific implants. The group utilized for popular applications to deliver malware, including a execution process. A secondary loader, disguised as a legitimate Windows library, was used to achieve stealthier loading. The attackers employed a custom method combining DPAPI and RC5 to secure payloads. Victims were detected in Türkiye, China, and India, with some systems compromised for over a year. The campaign showcases the group's advanced capabilities and continuous improvement of tactics.

External references