top of page
Search

China-Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver XoBot Malware

  • Dec 26, 2025
  • 2 min read

Key Findings


  • China-linked advanced persistent threat (APT) group Evasive Panda (also known as Bronze Highland, Daggerfly, and StormBamboo) conducted a cyber espionage campaign targeting victims in Türkiye, China, and India.

  • The group used adversary-in-the-middle (AitM) attacks and DNS poisoning techniques to deliver its signature MgBot backdoor.

  • The attackers leveraged lures that masqueraded as updates for third-party software, such as SohuVA, Baidu's iQIYI Video, IObit Smart Defrag, and Tencent QQ.

  • Evasive Panda manipulated the IP address associated with legitimate websites like dictionary.com to fetch an encrypted second-stage shellcode.

  • The group employed a complex process involving XOR encryption and a custom hybrid of Microsoft's Data Protection Application Programming Interface (DPAPI) to decrypt and execute the final payload.


Background


Evasive Panda is a China-linked hacking group that has been active since at least 2012. The group has a history of leveraging DNS poisoning and AitM attacks for malware distribution, as observed in previous incidents targeting an international NGO in Mainland China and an unnamed internet service provider.


DNS Poisoning Tactics


  • Evasive Panda is suspected of either compromising the ISPs used by the victims or hacking a router or firewall used by the targets to poison the DNS responses.

  • The group manipulated the IP address associated with legitimate websites like dictionary.com, causing victim systems to resolve the website to an attacker-controlled IP address based on their geographical location and internet service provider.


Malware Delivery


  • The attackers used lures that masqueraded as updates for third-party software, such as SohuVA, Baidu's iQIYI Video, IObit Smart Defrag, and Tencent QQ, to deliver the malicious payload.

  • The initial loader is responsible for launching shellcode that fetches an encrypted second-stage shellcode in the form of a PNG image file, again by means of DNS poisoning.

  • Evasive Panda employed a complex process involving XOR encryption and a custom hybrid of Microsoft's DPAPI to decrypt and execute the final payload.


Targeting and Impact


  • The cyber espionage campaign primarily targeted victims in Türkiye, China, and India, with the group exploiting the DNS poisoning and AitM techniques to deliver its signature MgBot backdoor.

  • The exact nature of the second-stage payload is unclear, but it is assessed that the attackers generate a unique encrypted second shellcode file for each victim as a way to bypass detection.


Sources


  • https://thehackernews.com/2025/12/china-linked-evasive-panda-ran-dns.html

  • https://x.com/shah_sheikh/status/2004572948280045900

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page