DNS Poisoning as an APT Weapon: Inside Evasive Panda’s MgBot Campaign

A sophisticated cyber espionage campaign attributed to the China-linked advanced persistent threat group known as Evasive Panda has revealed how DNS poisoning can be weaponized to achieve silent, long-term access to targeted networks. By manipulating name resolution at the network layer, the group has been able to redirect victims to malicious infrastructure and deploy its modular MgBot backdoor without relying on traditional phishing or exploit-heavy delivery chains.

Weaponizing DNS for Stealthy Initial Access

Unlike common intrusion techniques that depend on malicious email attachments or compromised websites, Evasive Panda’s approach centers on poisoning DNS responses to silently reroute legitimate traffic. Victims attempting to access trusted domains are transparently redirected to attacker-controlled servers, often without any visible indicators of compromise.

This technique allows the attackers to deliver malicious payloads during otherwise normal network activity. Because DNS resolution occurs before encrypted web sessions are established, the manipulation can bypass many endpoint-focused security controls and evade user suspicion.

MgBot: A Modular and Persistent Backdoor

Once initial access is achieved, the campaign deploys MgBot, a highly modular backdoor designed for espionage and long-term persistence. MgBot supports a wide range of capabilities, including file exfiltration, keystroke logging, screen capture, audio recording through system microphones, and credential theft from browsers and system stores.

The malware is designed to adapt to different operational needs. Modules can be selectively deployed or updated, allowing operators to tailor functionality based on the target’s value and environment.

Stealth Through Process Injection

To remain hidden, MgBot employs advanced stealth techniques, most notably process injection into svchost.exe, a legitimate and commonly running Windows system process. By operating within this trusted process, the malware blends into normal system activity, making detection by traditional antivirus tools significantly more difficult.

This technique also allows MgBot to inherit the privileges and network access of the injected process, further expanding its operational reach while minimizing forensic artifacts.

Geographic Scope and Strategic Targeting

Analysis of the campaign indicates targeting across multiple regions, including Türkiye, China, and India. Victims include telecommunications providers, government-linked organizations, and entities involved in critical infrastructure. The selection of targets suggests an intelligence-gathering focus rather than financially motivated cybercrime.

The use of DNS manipulation raises concerns about possible compromise of upstream infrastructure, such as ISP-level resolvers, enterprise DNS servers, or network routers. Control at this level would allow attackers to maintain persistent access across entire networks and re-infect systems even after endpoint remediation.

Network-Level Control and Long-Term Persistence

By operating at the DNS layer, Evasive Panda can sustain control over victim environments with minimal interaction. Even systems that are rebuilt or reimaged may remain vulnerable if they continue to rely on poisoned resolvers. This strategy represents a shift toward infrastructure-centric attacks that prioritize durability and stealth over speed.

Such techniques are particularly effective against organizations with complex networks and limited visibility into DNS traffic flows.

Defensive Measures and Mitigation Strategies

Defending against DNS-based attacks requires a strong focus on network-layer security. Organizations are encouraged to implement DNSSEC validation where possible, maintain strict resolver hygiene, and monitor for anomalous DNS responses or unexpected changes in resolution behavior.

Egress traffic monitoring can also help identify suspicious outbound connections to unfamiliar infrastructure, while segmentation and least-privilege principles can limit the impact of a successful compromise.

Implications for Telecoms and Government Networks

The MgBot campaign highlights how advanced threat actors are increasingly targeting foundational internet services rather than individual endpoints. Telecom providers and government agencies, which often manage or rely on large-scale DNS infrastructure, face elevated risk from such techniques.

As APT groups continue to innovate at the network layer, defenders must expand their focus beyond endpoints and applications to include the underlying systems that make digital communication possible.

Conclusion

Evasive Panda’s use of DNS poisoning to deploy MgBot underscores a growing trend toward subtle, infrastructure-level cyber espionage. By exploiting trust in core internet services, attackers can achieve durable and stealthy access to high-value targets. The campaign serves as a stark reminder that visibility and security at the network layer are now essential components of modern cyber defense.