Kaspersky: An APT group connected to China tainted DNS queries in order to distribute the MgBot backdoor. The group primarily targeted particular victims with adversary-in-the-middle (AitM) attacks. One of the numerous threat activity clusters associated with China that has depended on AitM poisoning to spread malware is Evasive Panda.

Although the threat actor's method of poisoning DNS responses is unknown, two scenarios are suspected: either the victims' ISPs were specifically targeted and compromised to install a network implant on edge devices, or the victims' router or firewall was hacked for this purpose. The HTTP request to obtain the second-stage shellcode also contains the current Windows version number. This is likely an attempt on the part of the attackers to target specific operating system versions and modify their approach according to the operating system in use.

Kaspersky: To avoid detection, the Evasive Panda malware creates a distinct encrypted second shellcode file for every victim. The use of a secondary loader that depends on sideloading an older, renamed version of "python" is an essential component of the operations. The secondary loader inserts the decrypted code, a MgBot variant, into a valid "svchost.exe" process.

This makes it possible for the malware to remain covertly present in compromised systems for extended periods of time. It's important to note that Evasive Panda has previously used watering hole attacks to spread MACMA, an Apple macOS malware. Although the second-stage malware's precise nature is unknown, Kaspersky's analysis reveals that The payload is decrypted and executed by the first-stage shellcode.

This stage was initially XOR-encrypted, and it seems that the attacker obtained it through a complicated process.