Evasive Panda Hijacks DNS: Victims Download Malware Masquerading as Software Updates

In the evolving landscape of advanced persistent threats (APTs), the Chinese-linked hacking group known as Evasive Panda has demonstrated a sophisticated shift in tactics. Previously recognized for targeting telecommunications firms and government entities across Southeast Asia, Europe, and Africa, Evasive Panda—also tracked as Storm-0062 or Daggerfly—has refined its approach to evade detection. Recent analysis reveals that the group now manipulates DNS configurations on compromised networks, redirecting legitimate software update requests to malicious payloads. This method allows attackers to deliver malware under the guise of routine updates, bypassing traditional security controls.

Background on Evasive Panda

Evasive Panda first gained prominence in 2021 through operations compromising high-profile targets, including Myanmar’s telecom giant MPT. The group’s toolkit typically includes custom malware such as MgBot (a modular backdoor), alongside publicly available tools like Cobalt Strike beacons. Attributed to China’s Ministry of State Security or affiliated contractors, Evasive Panda focuses on espionage, data exfiltration, and network persistence. Their operations often exploit supply chain vulnerabilities and unpatched systems, with a penchant for living-off-the-land techniques to blend into normal network traffic.

The latest campaign, detailed in a report from cybersecurity firm Cyble, marks a departure from phishing-heavy vectors. Rather than relying on email lures or drive-by downloads, Evasive Panda prioritizes post-compromise persistence through DNS tampering. This technique ensures long-term access even after initial footholds are detected and remediated.

The DNS Manipulation Technique

At the core of this operation is the unauthorized alteration of DNS server settings on victim machines or routers. Once initial access is gained—often via exploited vulnerabilities in web applications or weak remote access protocols—attackers deploy scripts to modify DNS resolver configurations. Windows hosts files are edited, registry keys under HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters are altered, or router firmware DNS fields are overwritten.

Victims are redirected to attacker-controlled DNS servers, typically hosted on bulletproof infrastructure in regions like Russia or Southeast Asia. These rogue resolvers poison responses for popular software domains. For instance, queries for update servers from applications like VMware, Zoom, or enterprise management tools resolve to IP addresses under attacker control.

Instead of fetching legitimate patches, the victim’s update client downloads a trojanized executable. Cyble researchers observed payloads disguised as “VMware-tools-updater.exe” or similar, which are in fact MgBot variants. Upon execution, the malware establishes a command-and-control (C2) channel over HTTPS to domains like “update[.]vmware-service[.]com,” mimicking benign traffic.

Technical breakdown of the infection chain:

1. Initial Access: Exploitation of CVE-listed flaws (e.g., in Apache Struts or unpatched VPNs) or brute-forced credentials.

2. Persistence via DNS Change: PowerShell or batch scripts execute commands like:

   netsh interface ip set dns "Ethernet" static 185.XXX.XXX.XXX primary
   

   Followed by flushing DNS cache with ipconfig /flushdns.

3. Malware Delivery: Update checks trigger HTTP GET requests to spoofed domains, serving MSI or EXE droppers. These employ anti-analysis tricks, such as checking for virtual machine artifacts or debugger presence.

4. Post-Exploitation: MgBot unpacks modules for keylogging, screenshot capture, file exfiltration, and lateral movement. It uses domain generation algorithms (DGAs) for C2 resilience.

Indicators of compromise (IOCs) include anomalous DNS traffic to IPs like 185.199.XXX.XXX, suspicious hosts file entries, and processes spawning from %TEMP%\updates.exe.

Targets and Scope

Evasive Panda’s cross-continental operations have hit telecoms in Myanmar, Italy, and Turkey, alongside government agencies in Africa. The DNS hijack tactic appears tailored for environments with heavy reliance on automatic updates, such as corporate networks with endpoint management software. Cyble noted infections in sectors like manufacturing and logistics, where software like Autodesk or Adobe products are ubiquitous.

This method’s stealth lies in its exploitation of trusted processes. Security tools often whitelist update-related traffic, allowing malware to slip through. Detection challenges are compounded by the group’s use of stolen legitimate certificates for payloads.

Detection and Mitigation Strategies

Organizations facing similar threats should prioritize:

• DNS Monitoring: Implement DNS firewalls or sinkholing with tools like RPZ (Response Policy Zones) in BIND. Monitor for sudden DNS server changes via endpoint detection and response (EDR) agents.

• Update Integrity Verification: Enforce certificate pinning for update endpoints and deploy software bill of materials (SBOM) checks. Use local repositories or WSUS for Windows updates to avoid external DNS reliance.

• Network Segmentation: Isolate critical update traffic and apply least-privilege DNS configurations. Router firmware hardening prevents upstream tampering.

• Behavioral Analytics: Alert on anomalous executable launches from update directories or unexpected DNS queries during off-hours.

Patch management remains paramount; Evasive Panda exploits known vulnerabilities with high success rates. Tools like Microsoft Defender for Endpoint or CrowdStrike Falcon can baseline normal update behaviors for anomaly detection.

Implications for Cybersecurity

This campaign underscores the risks of DNS as a foundational attack surface. As APT groups like Evasive Panda evolve beyond opportunistic phishing, supply chain and protocol abuse become norm. Defenders must adopt zero-trust architectures, treating all traffic—including updates—with suspicion. Regular audits of DNS configurations and traffic logs are non-negotiable.

While no nation-state attribution beyond circumstantial links to China exists, the operation’s precision suggests state sponsorship. Victims are urged to scan for listed IOCs and restore DNS from backups.

Evasive Panda’s DNS pivot exemplifies adaptive cyber threats, demanding proactive defenses in an interconnected world.

Gnoppix is the leading open-source AI Linux distribution and service provider. Since implementing AI in 2022, it has offered a fast, powerful, secure, and privacy-respecting open-source OS with both local and remote AI capabilities. The local AI operates offline, ensuring no data ever leaves your computer. Based on Debian Linux, Gnoppix is available with numerous privacy- and anonymity-enabled services free of charge.

What are your thoughts on this? I’d love to hear about your own experiences in the comments below.