Evasive Panda APT Poisons DNS Requests to Deliver MgBot

    Tuesday, December 30, 2025 In: Threat Research Print

    Date: 12/30/2025

    Severity: Medium

    Summary

    The Evasive Panda APT group conducted highly targeted campaigns between November 2022 and November 2024, abusing poisoned DNS responses to deliver its MgBot malware. The attackers leveraged adversary-in-the-middle (AitM) techniques to fetch encrypted malware components from attacker-controlled servers based on victim-specific DNS requests. By using a newly developed evasive loader, hybrid encryption, and in-memory execution via DLL sideloading into a legitimate signed executable, the group ensured stealthy, persistent access while making each infection unique and difficult to detect or analyze.

    Indicators of Compromise (IOC) List

    IP Address

    60.28.124.21

    123.139.57.103

    140.205.220.98

    112.80.248.27

    116.213.178.11

    60.29.226.181

    58.68.255.45

    61.135.185.29

    103.27.110.232

    117.121.133.33

    139.84.170.230

    103.96.130.107

    158.247.214.28

    106.126.3.78

    106.126.3.56

    Hash

    c340195696d13642ecf20fbe75461bed

    7973e0694ab6545a044a49ff101d412a

    9e72410d61eaa4f24e0719b34d7cad19

    Filenames

    C:\ProgramData\Microsoft\MF

    C:\ProgramData\Microsoft\eHome\status.dat

    C:\ProgramData\Microsoft\eHome\perf.dat

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("60.28.124.21","103.96.130.107","140.205.220.98","58.68.255.45","61.135.185.29","158.247.214.28","103.27.110.232","60.29.226.181","123.139.57.103","106.126.3.56","106.126.3.78","112.80.248.27","116.213.178.11","117.121.133.33","139.84.170.230") or srcipaddress IN ("60.28.124.21","103.96.130.107","140.205.220.98","58.68.255.45","61.135.185.29","158.247.214.28","103.27.110.232","60.29.226.181","123.139.57.103","106.126.3.56","106.126.3.78","112.80.248.27","116.213.178.11","117.121.133.33","139.84.170.230")

    Detection Query 2 :

    md5hash IN ("c340195696d13642ecf20fbe75461bed","7973e0694ab6545a044a49ff101d412a","9e72410d61eaa4f24e0719b34d7cad19")

    Detection Query 3 :

    resourcename = "Windows Security" AND eventtype = "4663" AND objectname IN ("C:\ProgramData\Microsoft\MF","C:\ProgramData\Microsoft\eHome\status.dat","C:\ProgramData\Microsoft\eHome\perf.dat")

    Detection Query 4 :

    technologygroup = "EDR" AND objectname IN ("C:\ProgramData\Microsoft\MF","C:\ProgramData\Microsoft\eHome\status.dat","C:\ProgramData\Microsoft\eHome\perf.dat")

    Reference:

    https://securelist.com/evasive-panda-apt/118576/


    Tags

    MalwareThreat ActorAPTAiTMDLLSideLoading

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.