A highly sophisticated and persistent cyberespionage campaign has been actively targeting entities across Asia, demonstrating the long-term strategic objectives of the advanced persistent threat group known as Evasive Panda, or Daggerfly. This operation, which has been underway for at least two years, underscores a significant investment in long-term intelligence gathering, with evidence suggesting that some victim systems remained compromised for over a year. The primary geographic focus of these intrusions has been on organizations in Türkiye, China, and India, where the threat actor has deployed a complex and evasive toolset designed for maximum stealth and persistence. The group’s methodology reveals a patient and methodical approach, prioritizing covert access over immediate disruption, a hallmark of state-sponsored espionage efforts. By maintaining a low profile for extended periods, the attackers have been able to exfiltrate valuable data while avoiding detection by conventional security measures, posing a formidable challenge to defenders in the region.
A Sophisticated Infection Chain
The initial point of compromise in this campaign relies on cleverly executed adversary-in-the-middle (AitM) attacks and DNS poisoning techniques to deceive users and initiate the infection sequence. The threat actors distribute malicious software packages disguised as legitimate updates for widely used applications, including the iQIYI Video app, Obit Smart Defrag, and Tencent QQ. When an unsuspecting user attempts to download or update one of these programs, the manipulated network traffic redirects them to attacker-controlled servers instead of the official software repositories. These servers deliver a custom, multi-stage loader that serves as the beachhead for the subsequent phases of the attack. This intricate infection chain is meticulously designed for evasion, ensuring that the initial malicious activity is difficult to trace back to its source. While the use of fake updates is a common tactic, Evasive Panda’s implementation showcases a high degree of technical skill, particularly in its ability to manipulate network infrastructure to serve its malicious payloads seamlessly.
Stealth and Persistence through Custom Tooling
Once the initial loader was executed, the attack progressed through a multi-stage process that highlighted the group’s emphasis on operational security and anti-analysis techniques. In a particularly cunning move, the second-stage payload was disguised as a standard PNG image file and hosted on a legitimate, high-traffic website, dictionary.com, which had been compromised through DNS poisoning. To further complicate forensic analysis and ensure that the malware was unique to each target, the attackers employed a hybrid encryption method. This technique combined Microsoft’s Data Protection API (DPAPI) with the RC5 algorithm, creating a payload that could only be decrypted and executed on the specific machine it was designed for. The final stage involved injecting the group’s signature implant, a backdoor known as MgBot, directly into legitimate system processes like svchost.exe. This allowed the threat actor to establish persistent, long-term control while evading detection by security software. The entire operation was supported by a network of command-and-control servers, some of which had remained active for several years, illustrating the enduring nature of this espionage campaign.
