The Reveal Platform
Intel Name: Evasive panda apt poisons dns requests to deliver mgbot
Date of Scan: December 30, 2025
Impact: Medium
Summary: The Evasive Panda APT group conducted highly targeted campaigns between November 2022 and November 2024, abusing poisoned DNS responses to deliver its MgBot malware. The attackers leveraged adversary-in-the-middle (AitM) techniques to fetch encrypted malware components from attacker-controlled servers based on victim-specific DNS requests. By using a newly developed evasive loader, hybrid encryption, and in-memory execution via DLL sideloading into a legitimate signed executable, the group ensured stealthy, persistent access while making each infection unique and difficult to detect or analyze.
