Poisoned at the Source: How Evasive Panda Turned ISP DNS Infrastructure into a Silent Malware Delivery System

Aegiron 9 mins0

ISP-Level DNS Poisoning & Supply-Chain Espionage Campaign

Timeframe: Late 2022 – 2024 (ongoing)
Also Known As: Bronze Highland, Daggerfly, StormBamboo
Primary Malware: MgBot (Windows), MACMA (macOS), Nightdoor (Windows)
Attribution: People’s Republic of China (state-aligned)

Executive Summary

Between late 2022 and 2024, Evasive Panda executed one of the most sophisticated and under-detected cyber-espionage campaigns observed in recent years. The group achieved direct control over ISP DNS infrastructure, enabling them to silently poison DNS responses and weaponize legitimate software update mechanisms.

Unlike phishing-based campaigns, victims were infected during normal, expected software updates. No malicious links, emails, or exploits were required. This allowed Evasive Panda to operate at scale and stealth, compromising high-value targets across Asia, Africa, and the West for long-term intelligence collection.

This campaign demonstrates nation-state maturity, combining:

  • Infrastructure-level access
  • Supply-chain abuse
  • Adversary-in-the-Middle (AitM) tradecraft
  • Per-victim cryptography
  • Modular espionage malware

Threat Actor Background

Evasive Panda has been active since at least 2012 and is best known for:

  • Targeting ethnic minorities (Tibetan, Uyghur)
  • Surveillance of dissidents and NGOs
  • Compromise of telecommunications providers
  • Long-term, low-noise persistence

The group rarely conducts destructive operations. Instead, it prioritizes:

  • Credential harvesting
  • Communications surveillance
  • Document exfiltration
  • Strategic intelligence gathering

Why This Campaign Is Different From Typical APT Activity

Most APT groups compromise endpoints first (phishing, exploits, malware loaders).
Evasive Panda inverted the model:

They compromised the internet plumbing first, then waited for victims to come to them.

By operating at the ISP DNS resolver level, the group gained:

  • Silent access to update traffic
  • No need for user interaction
  • No phishing emails
  • No malicious links
  • No visible redirections

Victims were infected during routine, expected software updates.

This is why many infections went undetected for months or years.

Countries and Victim Geography

Primary Infection Zones

  • China (mainland) – dissidents, activists, academics
  • Hong Kong & Macao – pro-democracy groups
  • Taiwan – government and research institutions
  • Vietnam, Thailand, Philippines, Myanmar – foreign affairs & telecom
  • India & Nepal – diplomatic entities, NGOs
  • Nigeria, Ethiopia, Kenya – telecom infrastructure

Secondary / Strategic Monitoring

  • United States
  • United Kingdom
  • Germany

These were not mass infections, but targeted surveillance of:

  • Tibetan diaspora
  • Uyghur organizations
  • China policy researchers
  • Religious institutions

ISP-Level DNS Poisoning – How It Worked in Practice

Step-by-Step (Operational View)

  1. ISP infrastructure compromised
    • Likely via admin credential theft or network management system access
    • DNS resolvers modified or responses intercepted
  2. Target domains selected
    • Only software update domains
    • No general browsing interference (reduces detection)
  3. DNS responses manipulated
    • Legitimate domain → attacker IP
    • Very short TTLs to maintain control
    • Victims still saw correct domain names
  4. Adversary-in-the-Middle achieved
    • Traffic looked legitimate
    • No browser warnings
    • No certificate errors if HTTP was used

Why These Applications Were Targeted

ApplicationReason It Was Ideal
Tencent QQMassive user base, frequent updates
Sogou PinyinRuns constantly, weak update security
WPS OfficeOften installed with admin privileges
SohuVA / iQIYITrusted Chinese media software
IObit utilitiesElevated permissions, auto-update

Key weakness:
Many used HTTP updates or HTTPS without strict signature validation.

Full Malware Infection Chain

Phase 1 – Trojanized Update Delivery

  • Fake update installer identical to real version
  • Correct filenames and directory structures
  • Sometimes bundled with legitimate binaries

Phase 2 – Multi-Stage Loader

Dropped files typically included:

  • One legitimate executable
  • One malicious DLL
  • One encrypted payload blob

Common directories:

C:\ProgramData\Microsoft\
C:\ProgramData\Microsoft\eHome\
%APPDATA%\Roaming\
%TEMP%\

Phase 3 – DLL Side-Loading (Primary Execution)

The legitimate executable automatically loaded the malicious DLL due to:

  • Same DLL name
  • Same directory
  • Windows DLL search order

This allowed:

  • Execution inside trusted processes
  • Bypass of basic AV detection

Phase 4 – Per-Victim Encryption (Critical Detail)

Each victim received a unique payload, encrypted using:

  • MAC address
  • Disk serial number
  • Hostname
  • Username
  • Infection timestamp
  • Random C2 value

Impact:

  • Sandboxes often failed to detonate
  • One sample could not decrypt another
  • Analysts could not reuse decryption keys

Phase 5 – Process Injection

MgBot injected into:

  • svchost.exe
  • explorer.exe
  • rundll32.exe

At this point, malicious code lived entirely inside legitimate Windows processes.

MgBot Capabilities (Operational Intelligence)

MgBot is not static malware. It is a modular espionage platform.

Commonly Observed Modules

  • Keystroke logging
  • Screen capture
  • Microphone recording
  • Clipboard monitoring
  • Browser credential theft
  • File discovery and exfiltration
  • Messaging app surveillance (QQ, WeChat, Telegram)
  • USB device monitoring

Modules were deployed selectively, based on target value.

Command-and-Control Infrastructure

Communication Methods

  • HTTPS to legitimate-looking domains
  • Abuse of Google Drive, OneDrive, Dropbox
  • DNS tunneling as fallback

Infrastructure Characteristics

  • Fast-flux IP rotation
  • Privacy-protected domain registrations
  • Overlap across Windows and macOS campaigns
  • Long-lived backend servers

Indicators of Compromise (IOCs – Properly Delimited)

Note: Always validate before blocking.

File Hashes

MgBot / Loaders

  • c340195696d13642ecf20fbe75461bed
  • 9e72410d61eaa4f24e0719b34d7cad19

MACMA (macOS)

  • 003764fd74bf13cff9bf1ddd870cbf593b23e2b584ba4465114023870ea6fbef

Malicious / C2 IP Addresses

60[.]28[.]124[.]21
123[.]139[.]57[.]103
140[.]205[.]220[.]98
112[.]80[.]248[.]27
103[.]96[.]130[.]107
103[.]243[.]212[.]98

Malicious & Compromised Domains

p2p[.]hd[.]sohu[.]com[.]cn
www[.]monlamit[.]com
tibetpost[.]net
www[.]kagyumonlam[.]org
dictionary[.]com

(Some were compromised legitimate sites, not attacker-registered)

Common Malware Paths

C:\ProgramData\Microsoft\MF\
C:\ProgramData\Microsoft\eHome\
%APPDATA%\Roaming\shapp\

MITRE ATT&CK Mapping (Key Techniques)

  • T1195.002 – Supply Chain Compromise
  • T1189 – Drive-by Compromise
  • T1574.002 – DLL Side-Loading
  • T1055 – Process Injection
  • T1053 – Scheduled Task Persistence
  • T1027 – Obfuscated / Encrypted Payloads
  • T1071.001 – Web-based C2
  • T1102 – Web Service Abuse

Final Takeaways

  • This was not malware spam; it was intelligence collection
  • ISP-level access dramatically reduced detection
  • Software update trust was the primary weapon
  • Per-victim encryption neutralized bulk analysis
  • Campaign ran quietly for years

This operation represents state-grade cyber-espionage maturity, not criminal tradecraft.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.