{
  "name": "Evasive Panda APT poisons DNS requests to deliver MgBot",
  "slug": "evasive-panda-apt-poisons-dns-requests-to-deliver-mgbot",
  "description": "The Evasive Panda APT group conducted highly-targeted campaigns from November 2022 to November 2024, employing adversary-in-the-middle attacks and DNS poisoning techniques. They developed a new loader that evades detection and uses hybrid encryption for victim-specific implants. The group utilized fake updaters for popular applications to deliver malware, including a multi-stage shellcode execution process. A secondary loader, disguised as a legitimate Windows library, was used to achieve stealthier loading. The attackers employed a custom hybrid encryption method combining DPAPI and RC5 to secure payloads. Victims were detected in T\u00fcrkiye, China, and India, with some systems compromised for over a year. The campaign showcases the group's advanced capabilities and continuous improvement of tactics.",
  "published": "2025-12-24T12:36:09+00:00",
  "created_at": "2025-12-24T12:36:09+00:00",
  "modified_at": "2025-12-24T14:32:09+00:00",
  "created_at_opencti": "2025-12-24T12:36:09+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-12-24",
    "aitm attacks",
    "apt",
    "dns poisoning",
    "fake updaters",
    "hybrid encryption",
    "mgbot",
    "multi-stage shellcode",
    "stealthy loader"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "60.28.124.21"
      },
      {
        "id": "",
        "name": "60.29.226.181"
      },
      {
        "id": "",
        "name": "106.126.3.78"
      },
      {
        "id": "",
        "name": "117.121.133.33"
      },
      {
        "id": "",
        "name": "103.27.110.232"
      },
      {
        "id": "",
        "name": "58.68.255.45"
      },
      {
        "id": "",
        "name": "116.213.178.11"
      },
      {
        "id": "",
        "name": "123.139.57.103"
      },
      {
        "id": "",
        "name": "103.96.130.107"
      },
      {
        "id": "",
        "name": "106.126.3.56"
      },
      {
        "id": "",
        "name": "9c33f106fc93f3e6523627feda2e3250c45d704946dbdf87ad18fb3d815e2992"
      }
    ],
    "intrusion_sets": [
      {
        "id": "legacy:intrusion:740d32a0d7beabb7",
        "name": "Evasive Panda",
        "slug": "evasive-panda"
      }
    ],
    "attack_patterns": [
      {
        "id": "c340d47a-2ea8-41ca-9a0b-a72559b89bbf",
        "name": "T1584"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      },
      {
        "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d",
        "name": "T1574.002"
      },
      {
        "id": "74d5f31c-5e2d-4aed-b8b9-4fabdde76dfa",
        "name": "T1598"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "India"
      },
      {
        "id": "",
        "name": "British Indian Ocean Territory"
      },
      {
        "id": "",
        "name": "T\u00fcrkiye"
      },
      {
        "id": "",
        "name": "China"
      },
      {
        "id": "",
        "name": "Technology"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/694bec49b3afb4e6bc975450",
    "https://securelist.com/evasive-panda-apt/118576/"
  ]
}