Kaspersky released new findings on a sophisticated cyber espionage campaign by the Evasive Panda threat actor. The attackers have reportedly executed malware by injecting it into legitimate system processes and “maintained a stealthy presence in compromised systems.” The operation, reportedly being active from November 2022 to November 2024, has “compromised systems in Turkey, China, and India, with some infections persisting for over a year.” This revelation underscores the group’s tactics and their “commitment to long-term infiltration of targeted networks.”
The attack employs deceptive lures disguised “as legitimate software updates for popular Windows applications, including SohuVA, iQIYI Video, IObit Smart Defrag, and Tencent QQ.”
These fake updaters are designed to “blend with software, allowing the attackers to initiate malicious activities without immediate detection.”
The attackers also used a DNS poisoning technique “to deliver a malware component from their server, making it appear as if it was stored on a popular legitimate website.”
At the core of the attack is the decade-old MgBot implant, “a modular malware framework used by Evasive Panda for cyber espionage since at least 2012, featuring plugins for tasks like keylogging, file theft, and command execution.”
For attacks in 2022-2024, MgBot was updated “with new configurations, including multiple command-and-control (C2) servers to ensure intrusion redundancy and prolonged access.”
Fatih Åžensoy, security expert at Kaspersky said:
“This campaign exemplifies the attackers’ efforts in evading defenses while reusing proven tools like MgBot. In a two-year long campaign, they’ve demonstrated a resource-intensive and persistent approach which exploits user trust in everyday applications to maintain footholds in critical systems. What stands out is their adaptive deployment strategy, tailoring implants to specific OS environments on the server side, allowing for highly targeted espionage. Organizations need proactive, intelligence-driven security measures to counter such enduring campaigns.”
Kaspersky urges organizations and individual users “to remain vigilant against this and similar threats.”
Based on the investigation, Kaspersky recommends:
- Organizations should enforce multi-factor authentication for software updates and use endpoint detection tools to scrutinize update packages for anomalies, such as unexpected file placements or code similarities to known malicious templates.
- Organizations should enhance network monitoring for Adversary-in-the-Middle (AitM) attacks indicators: Regularly audit DNS responses and network traffic for signs of poisoning or interception.
- Organizations should also train users to recognize phishing lures disguised as updates from trusted vendors.
- Individual users should perform proactive scans for malware using proven protective solutions.
Established in 2008, Global Research & Analysis Team (GReAT) operates at the very core of Kaspersky, uncovering “APTs, cyber-espionage campaigns, major malware, ransomware and underground cyber-criminal trends across the world.”
GReAT currently consists of 35+ professionals “working globally – in Europe, Russia, Latin America, Asia and the Middle East.”
Security professionals now reportedly provide company leadership in anti-malware research and innovation, bringing “expertise, curiosity to the discovery and analysis of cyberthreats.”