Introduction

Kaspersky has disclosed new intelligence detailing a prolonged and highly targeted cyber espionage campaign attributed to the advanced persistent threat group Evasive Panda. The operation highlights the group’s continued evolution, leveraging stealthy malware execution techniques and trusted software ecosystems to infiltrate high-value targets across multiple regions.

Background and Context

The newly uncovered campaign was active between November 2022 and November 2024, with confirmed victims in Türkiye, China, and India. Investigators observed several compromised environments remaining under attacker control for more than a year, underscoring the actor’s focus on persistence and intelligence collection rather than rapid monetization.

This activity reflects Evasive Panda’s long-standing tradecraft, blending legacy malware frameworks with modern delivery and evasion strategies to bypass enterprise defenses.

Technical Details of the Attack

At the center of the operation is MgBot, a modular backdoor that has been associated with Evasive Panda since at least 2012. Despite its age, the malware remains effective due to continuous refinement and flexible deployment.

Key technical characteristics include:

• Process Injection: Malware payloads are injected into legitimate Windows system processes to evade behavioral detection.
• Fake Software Updates: Victims are lured through installers masquerading as updates for widely used applications such as SohuVA, iQIYI Video, IObit Smart Defrag, and Tencent QQ.
• DNS Poisoning: Attackers manipulated DNS responses to deliver malicious components from attacker-controlled infrastructure while making them appear hosted on legitimate, well-known websites.
• Enhanced C2 Resilience: Updated MgBot configurations support multiple command-and-control servers, ensuring redundancy and long-term access even if part of the infrastructure is disrupted.
• Modular Capabilities: Deployed plugins enable keylogging, file exfiltration, and remote command execution, allowing tailored espionage based on the target environment.

Timeline of Events

• November 2022: Initial infections linked to trojanized software updates.
• 2023: Expansion of the campaign with refined DNS poisoning and improved stealth techniques.
• 2024: Discovery of updated MgBot configurations and confirmation of year-long persistence on select systems.
• Late 2024: Public disclosure following in-depth analysis by Kaspersky researchers.

Expert Commentary

According to Fatih Şensoy, Security Researcher at Kaspersky, the campaign demonstrates a calculated balance between innovation and reuse of proven tools:

The attackers show exceptional patience and operational discipline. By adapting MgBot deployments on the server side to specific operating system environments, they achieve highly targeted espionage while minimizing exposure. This is a resource-intensive approach designed for long-term intelligence gathering rather than short-term impact.

Impact and Scope

The campaign primarily affects organizations and users within strategic regions, potentially exposing sensitive communications, credentials, and proprietary data. The use of trusted software as an infection vector significantly increases the risk profile, as even security-aware users may overlook malicious activity disguised as legitimate updates.

Response and Mitigation Recommendations

Kaspersky advises a combination of technical controls and user awareness to counter similar threats:

For Organizations

• Enforce multi-factor authentication and integrity validation for software updates.
• Deploy advanced endpoint detection and response tools to analyze update behavior and file placement anomalies.
• Monitor network traffic for Adversary-in-the-Middle indicators, including irregular DNS responses.
• Conduct regular user training focused on identifying update-themed phishing and trojanized installers.

For Individual Users

• Avoid downloading updates from unofficial sources.
• Perform regular system scans using reputable security solutions.
• Keep operating systems and applications patched through verified vendor channels.

Outlook

Evasive Panda’s continued reliance on MgBot illustrates how mature espionage tools can remain effective when paired with adaptive delivery mechanisms. As threat actors increasingly exploit trust in common software ecosystems, organizations must prioritize intelligence-driven defense strategies and continuous monitoring to detect subtle, long-term intrusions.

Sources:

Additional technical analysis and indicators of compromise are available via Securelist, Kaspersky’s official threat research platform.