EXECUTIVE SUMMARY:
The Evasive Panda APT campaign represents a persistent cyber-espionage operation attributed to a China-aligned threat actor also tracked under multiple aliases. Active for over a decade, the group has consistently demonstrated an ability to adapt its tooling and delivery mechanisms to evade detection while maintaining long-term access to targeted environments. The campaign analyzed in this report spans multiple years and targets organizations and individuals across several regions, including Asia and parts of Europe. Unlike conventional intrusion campaigns that rely heavily on phishing, Evasive Panda leverages adversary-in-the-middle techniques and DNS poisoning to compromise victims in a stealthy and indirect manner. By intercepting legitimate network traffic, the attackers are able to manipulate trusted software update processes and replace them with malicious payloads. This approach allows the threat actor to blend malicious activity into normal system behavior, significantly reducing the likelihood of user suspicion. The campaign introduces newly observed loaders and encryption mechanisms designed to complicate both detection and reverse engineering, underscoring the group’s continued investment in operational security and technical sophistication.
From a technical perspective, the campaign relies on a carefully structured, multi-stage infection chain that culminates in the deployment of the MgBot backdoor. The attack begins when DNS poisoning redirects requests for legitimate software updates to attacker-controlled infrastructure. Victims unknowingly download trojanized update installers that execute a custom loader on the system. This loader decrypts embedded configuration data using lightweight obfuscation techniques before launching an encrypted shellcode payload. A notable feature of this campaign is the use of a hybrid encryption scheme combining system-specific encryption with a symmetric cipher, effectively binding the payload to the victim machine and limiting reuse or offline analysis. The decrypted payload injects malicious code into legitimate system processes, often leveraging DLL sideloading and runtime injection to avoid raising alarms. Once executed, the MgBot implant operates primarily in memory, establishing command-and-control communications and enabling remote task execution. Infrastructure analysis indicates long-term reuse of control servers, suggesting a mature and stable operational framework maintained by the threat actor over extended periods.
The findings of this analysis highlight Evasive Panda as a highly capable and evolving APT actor that continues to refine its tradecraft in pursuit of stealthy, long-term access. By abusing trusted network services and software update mechanisms, the group effectively bypasses many traditional security controls that focus on user-initiated threats such as phishing. The introduction of new loaders, system-bound encryption, and advanced injection techniques demonstrates a clear intent to frustrate incident response and forensic investigations. While certain aspects of the initial DNS poisoning vector remain unclear, the overall campaign reflects a level of access and sophistication consistent with state-sponsored operations. The sustained activity observed over multiple years further suggests strong operational discipline and significant resourcing. For defenders, this campaign underscores the importance of monitoring DNS behavior, validating software update integrity, and detecting anomalous process execution patterns. As Evasive Panda continues to adapt, similar techniques may be reused or expanded in future operations, making proactive detection and layered defensive strategies critical to mitigating the risk posed by such advanced threat actors.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| T1566 | Phishing | - | |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| T1204.002 | User Execution | Malicious File | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| T1574.002 | Hijack Execution Flow | DLL Side-Loading | |
| Defense Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| T1140 | Deobfuscate/Decode Files or Information | - | |
| T1218.011 | System Binary Proxy Execution | Rundll32 | |
| Credential Access | T1003 | OS Credential Dumping | - |
| Discovery | T1082 | System Information Discovery | - |
| T1057 | Process Discovery | - | |
| Collection | T1005 | Data from Local System | - |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1095 | Non-Application Layer Protocol | - | |
| T1105 | Ingress Tool Transfer | - | |
| T1573.001 | Encrypted Channel | Symmetric Cryptography | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Persistence | F0010 | Kernel Modules and Extensions |
| Discovery | E1083 | File and Directory Discovery |
| Collection | E1056 | Input Capture |
| Anti-Behavioral Analysis | B0009 | Virtual Machine Detection |
| Command and Control | B0030 | C2 Communication |
REFERENCES:
The following reports contain further technical details: