Evasive Panda, a classy risk actor identified by the aliases Bronze Highland, Daggerfly, and StormBamboo, has escalated its offensive capabilities by way of a two-year marketing campaign that has deployed superior assault methods,, together with adversary-in-the-middle (AitM) assaults and DNS poisoning.
Based on June 2025 analysis, the group maintained persistent operations between November 2022 and November 2024, focusing on victims throughout Turkey, China, and India with evolving malware supply mechanisms designed to evade detection.
The marketing campaign reveals a marked evolution within the risk actor’s operational method. Reasonably than counting on direct distribution strategies, Evasive Panda orchestrated highly-targeted assaults utilizing AitM methods mixed with DNS poisoning to intercept reliable site visitors and redirect victims to attacker-controlled servers.
The attackers distributed loaders disguised as reliable software updates together with SohuVA, iQIYI Video, IObit Good Defrag, and Tencent QQ exploiting consumer belief in acquainted software program distributors to determine preliminary system entry.
Technical Sophistication
The sophistication of Evasive Panda’s loader demonstrates vital improvement funding. Written in C++ utilizing the Home windows Template Library (WTL), the malware employs a number of encryption layers and obfuscation methods to complicate evaluation.
The loader makes use of XOR-based decryption algorithms to reveal configuration components solely after execution, whereas all essential strings together with system paths and command execution parameters stay encrypted till runtime.
Most notably, the attackers developed a novel injector enabling in-memory execution of their MgBot implant inside reliable processes.
By leveraging DLL sideloading methods with a decade-old signed executable (evteng.exe), the group achieved persistent presence with out writing major payloads to disk. This method considerably reduces detection floor and complicates forensic investigation.
The DNS poisoning mechanism represents the marketing campaign’s most progressive ingredient. Attackers manipulated DNS responses for reliable web sites, together with dictionary.com, redirecting victims’ programs to attacker-controlled infrastructure primarily based on geographical location and ISP affiliation.
The malware retrieves encrypted payloads disguised as PNG pictures from these poisoned domains, with payload choice tailor-made to the sufferer’s Home windows model and system configuration.
The an infection chain employs multi-stage execution: the preliminary loader decrypts shellcode and retrieves encrypted second-stage payloads by way of DNS-poisoned site visitors.
To forestall interception and evaluation, attackers applied customized hybrid encryption combining Microsoft’s Information Safety API (DPAPI) with RC5 encryption.
This method ensures payload decryption happens completely on compromised programs, creating uneven benefits for defenders making an attempt forensic restoration.
Persistence and Attribution
Some compromised programs maintained lively infections for over one yr, indicating sustained operational dedication.
The attackers maintained a number of command-and-control (C2) servers lively for years, suggesting deliberate infrastructure redundancy designed to protect management regardless of potential takedown operations.
Attribution to Evasive Panda seems extremely assured primarily based on tactical convergence with historic operations.
The group’s constant use of supply-chain compromise, AitM methods, and watering-hole assaults mixed with the resurgent MgBot implant with enhanced configuration components aligns with established risk actor behaviors.
Regardless of technical visibility, essential operational gaps stay. Researchers have but to find out how Evasive Panda initially compromises community infrastructure to execute DNS poisoning at scale.
Two believable eventualities exist: both selective ISP community implants have been deployed, or victim-controlled community gadgets (routers, firewalls) have been independently compromised.
The marketing campaign demonstrates sustained evolution inside Evasive Panda’s toolkit. New loader improvement suggests further functionality enhancements stay forthcoming.
Organizations ought to implement sturdy DNS monitoring, community segmentation limiting lateral motion potential, and endpoint detection mechanisms tuned for multi-stage shellcode execution patterns.
Observe us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most well-liked Supply in Google.
