Shadow Updates: Evasive Panda’s Two-Year Espionage Spree Revealed
The Chinese hacking group known as Evasive Panda (also tracked as Bronze Highland, Daggerfly, and StormBamboo) carried out one of the most sophisticated and long-running cyber campaigns of recent years, silently infecting victim systems and maintaining control for nearly two years. New research from Kaspersky Lab reveals that the operation spanned from November 2022 through November 2024 and was marked by exceptional precision, stealth, and technical sophistication.
The attackers placed particular emphasis on so-called man-in-the-middle (MitM) attacks, in which malicious code is delivered to victims under the guise of legitimate updates for trusted applications. Throughout the campaign, the hackers tampered with updates for widely used software—including streaming services—quietly implanting malware loaders in the process. In several instances, the attack appears to have relied on DNS response manipulation, causing victim systems to contact attacker-controlled infrastructure instead of genuine update servers.
Fake updates were crafted for popular applications such as SohuVA and iQIYI Video, as well as for utilities and messaging clients installed on millions of computers. The malicious code was carefully placed directly within the directories of legitimate software and launched by the applications’ own services, allowing it to remain undetected for extended periods.
A defining feature of the campaign was a newly developed loader engineered to significantly hinder analysis and detection. It employs a multi-stage architecture in which components of the payload are stored in encrypted form and retrieved only when specific conditions are met. Configuration data, strings, and even file names are concealed through encryption, while the malware executes entirely in system memory, leaving few conventional traces on disk.
In the final phase of the attack, the operators deploy the well-known yet actively evolving espionage module MgBot. This is achieved through code injection into legitimate Windows processes such as svchost.exe, using signed and ostensibly benign executables. Such techniques enable the intrusion to persist quietly for months, and in some cases, for years.
Evasive Panda further shielded its infrastructure through the use of hybrid encryption. Portions of the payload are encrypted using native Windows mechanisms tied to the victim’s specific machine. As a result, intercepted files cannot be decrypted or analyzed on other systems, substantially complicating the work of security analysts and researchers.
Telemetry data indicates that users in Turkey, China, and India were affected, with some systems remaining compromised for more than a year. The scale and duration of the campaign point to significant resources and a deliberate, strategic approach on the part of the attackers.
Researchers attribute the operation to Evasive Panda with high confidence, as the techniques and tooling closely mirror the group’s previously documented activities. Despite the introduction of new loaders and obfuscation methods, MgBot remains the final stage of the attack—albeit with updated configurations and expanded capabilities.
Experts note that this operation vividly illustrates the evolution of cyber espionage: attackers are increasingly weaponizing trusted applications, network infrastructure, and even defensive system mechanisms against users themselves. All indications suggest that this campaign is far from the last, and the emergence of new tools may signal Evasive Panda’s preparations for even more complex operations in the future.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
