Chinas Evasive Panda Hijacks Software Updates to Deliver Custom Backdoor

Researchers observed downloads of installers for the APTs flagship backdoor, MgBot, when users at a Chinese NGO were updating legitimate applications.

A Chinese
advanced persistent threat (APT) group
is hijacking legitimate application update channels for software developed by Chinese companies in order to deliver custom malware.
The attacks have targeted individuals in China and Nigeria in a campaign thats been ongoing for two years. The malicious activity is aimed at stealing credentials and data for cyber-espionage purposes, researchers from Eset have found.
In January,
researchers observed the Evasive Panda APT
delivering the installer for the groups flagship backdoor, MgBot malware, to a Chinese nongovernmental organization, they revealed in a blog post published April 26.
During our investigation, we discovered that when performing automated updates, a legitimate application software component downloaded MgBot backdoor installers from legitimate URLs and IP addresses, Facundo Munoz, an Eset security intelligence analyst and malware researcher, wrote in the post.
The malicious activity has targeted mainly Chinese users in the Gansu, Guangdong, and Jiangsu provinces, as well as one user in Nigeria.
As researchers have never observed any other threat actors using the MgBot backdoor — a modular malware that allows Evasive Panda to spy on victims and enhance its capabilities on the go — it was fairly easy to attribute the activity to the Chinese APT, they said.
Though its not unprecedented, it is unusual and fairly complex to deliver malware through a legitimate software update channel, the researchers said. At this time, they remain inconclusive about how Evasive Panda did it.
However, they narrowed down their speculation to two possible scenarios:
supply chain compromise
or an
adversary-in-the-middle (AitM) attack
, the researchers said. They analyzed both types of activity from the Evasive Panda campaign, and similarities to other attacks to come to these conclusions, the researchers said.
For the supply chain scenario, Eset analyzed one of the updaters for which they detected the highest number of malware samples, the updater for a popular Chinese chat and social media service, the Tencent QQ Windows client.
Given the targeted nature of the attacks, we speculate that attackers would have needed to compromise the QQ update servers to introduce a mechanism to identify the targeted users to deliver them the malware, filtering out non-targeted users and delivering them legitimate updates, Munoz wrote. Indeed, the researchers observed legitimate updates were downloaded through the same abused protocols.
The researchers compared this possible scenario to a previous case they examined in which
attackers compromised the update servers of a software development company
based in Hong Kong to deliver both legitimate updates of software called BigNox as well as malicious payloads, to specific users. A similar scenario may have occurred in the case of Evasive Pandas delivery of MgBot, the researchers said.
For the AitM scenarios, researchers cited a report by Kaspersky published last June about the capabilities of the
Chinese-speaking LuoYu APT group
, which delivered its WinDealer malware through legitimate app updates.
In that case, the researchers realized that instead of carrying a list of established command-and-control servers to contact in case of a successful compromise, the attack generated random IP addresses in the 13.62.0.0/15 and 111.120.0.0/14 ranges from China Telecom AS4134.
There was a similar, albeit small, coincidence in the recent activity by Evasive Panda that researchers observed, they said, with the IP addresses of the targeted Chinese users at the time of receiving the MgBot malware were on the AS4134 and AS4135 IP addresses ranges, Munoz wrote.
These similar activities could signify that both LuoYo and Evasive Panda either controlled a large number of devices associated with the IP addresses on those ranges or that they are AitM or attacker-on-the-side interception on the infrastructure of that particular AS, the researchers surmised. Indeed, previous research by Symantec reported on
Evasive Panda targeting an African telecommunications provider
.
With access to ISP backbone infrastructure — through legal or illegal means — Evasive Panda would be able to intercept and reply to the update requests performed via HTTP, or even modify packets on the fly, Munoz wrote.
Evasive Panda — aka Bronze Highland and Daggerfly — has been active since 2012, and primarily conducts cyber espionage against individuals in mainland China, Hong Kong, Macao, and Nigeria, as well as specific organizations in China and Hong Kong.
The group also has targeted government entities in China, Macao, and Southeast and East Asian countries — specifically Myanmar, the Philippines, Taiwan, and Vietnam. According to public reports, the group has also targeted unknown entities in Hong Kong, India, and Malaysia.
Evasive Panda primarily uses the modular C++-based Windows backdoor MgBot — which does not appear to have been updated since it was first
publicly documented
in 2014 — to spy on victims. The malwares modules can be updated by Evasive Panda during attacks to enhance the attackers capabilities, according to Eset.
Because the attacks appear so legitimate to end users, they are difficult for organizations to detect and mitigate, security researchers said. To help potential victims avoid compromise, Eset researchers included a list of indicators of compromise (IoCs) in their post.
When reporting on the LuoYo attack, Kaspersky researchers advised that the only way for potential targets to defend against such attacks is to remain extremely vigilant and put in place robust security procedures that involve regular antivirus scans, analysis of outbound network traffic, and extensive logging to detect anomalies.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Chinas Evasive Panda Hijacks Software Updates to Deliver Custom Backdoor