Ddos 
General overview of storing payload on disk by using hybrid encryption | Image: Kaspersky Labs
A notorious cyber-espionage group has spent the last two years conducting a highly targeted surveillance campaign, hijacking network traffic and poisoning DNS responses to deliver malware through legitimate-looking software updates. A new report from Kaspersky Labs details the latest activities of Evasive Panda (also known as StormBamboo or Daggerfly), revealing a sophisticated operation that targeted victims in China, India, and Türkiye between November 2022 and November 2024.
The group, active since 2012, has upgraded its arsenal with “hybrid encryption practices” and a new stealth loader designed to bypass modern defenses.
The attack often begins with a classic Trojan horse strategy: disguising malware as updates for trusted applications. Researchers discovered the group impersonating SohuVA, a popular streaming app from a Chinese internet giant.
“The malicious package, named sohuva_update_10.2.29.1-lup-s-tp.exe, clearly impersonates a real SohuVA update to deliver malware,” the report states.
But the deception didn’t stop there. The group also compromised update mechanisms for other widely used software, including the iQIYI Video application, IObit Smart Defrag, and Tencent QQ. By dropping fake updaters into legitimate installation folders, the attackers ensured their malicious code was executed by trusted system services.
Perhaps the most alarming tactic identified was the use of Adversary-in-the-Middle (AitM) attacks to hijack network traffic. In one striking example, the malware retrieved its second-stage payload from a seemingly innocent source: dictionary.com.
According to the analysis, the attackers manipulated DNS responses to redirect traffic intended for the legitimate dictionary site to their own servers. “Our telemetry shows that the attackers successfully obtained the encrypted second-stage shellcode, disguised as a PNG file, from the legitimate website dictionary[.]com,” the researchers explained.
This allowed the attackers to deliver payloads based on the victim’s specific geography and internet service provider, making the attack highly targeted and difficult to replicate in a lab environment.
To ensure their implants remained persistent and undetectable, Evasive Panda employed a complex “hybrid encryption” scheme. The malware utilizes Microsoft’s Data Protection API (DPAPI) combined with the RC5 algorithm to encrypt its payloads on the victim’s disk.
“The attacker uses this approach to ensure that a crucial part of the attack chain is secured, and the encrypted data can only be decrypted on the specific system where the encryption was initially performed,” the report notes.
This technique ties the malware to the specific machine it infects, rendering the stolen files useless if analyzed on a researcher’s computer.
Despite the new delivery methods, the ultimate goal remains the deployment of MgBot, the group’s signature backdoor. The new loader uses a “secondary loader” disguised as a legitimate Windows library (libpython2.4.dll) to inject MgBot into system processes like svchost.exe.
“Notably, the attackers have developed a new loader that evades detection when infecting its targets,” utilizing techniques like DLL sideloading via a decade-old signed executable (evteng.exe) to maintain stealth.
“The Evasive Panda threat actor has once again showcased its advanced capabilities, evading security measures with new techniques and tools while maintaining long-term persistence in targeted systems,” the report concludes.
As the group continues to refine its “AitM” capabilities—potentially compromising ISPs or edge routers—defenders face an increasingly elusive adversary.
Related Posts:
- New MgBot Malware Framework Plugins Target African Telecommunications Company
- PANDA Banker Malware Attacks Bank Institutions, Cryptocurrency Trading Platforms, and Social Media
- Espionage Group Daggerfly Revamps Toolset, Expands Targets in Wake of Malware Exposure
- AiTM Attacks Bypass MFA Despite Widespread Adoption
Donate