A China-linked threat group tracked as Evasive Panda, also known in industry reporting as StormBamboo, Daggerfly, and Bronze Highland, has been tied to a targeted campaign that weaponized the internet’s “address book” itself. Instead of relying on the familiar playbook of malicious links or booby trapped attachments, investigators describe an operation where victims asked for legitimate software updates and received a poisoned answer through manipulated DNS resolution, turning routine update checks into a covert malware delivery channel.
Reports on the activity says the campaign ran across a multi year window and used an adversary in the middle approach combined with DNS poisoning to redirect update traffic for select applications. The infection chain described by researchers hinges on quietly steering victims toward attacker controlled infrastructure that served trojanized payloads, ultimately dropping MgBot, a backdoor associated with this actor in multiple prior investigations. Technical write ups also emphasize layered stealth, including obfuscated components and encrypted staging methods, reflecting a mature tradecraft style designed to survive modern endpoint scrutiny.
The significance is not the malware family alone, but the distribution mechanic. DNS manipulation sits below most user awareness and often below many enterprise controls, which means a compromised resolver path can undermine trust assumptions that security teams bake into update systems and web access. Prior public research has already documented StormBamboo linked activity involving ISP level compromise and abuse of insecure update mechanisms, helping explain why defenders treat this as more than a one off incident and more like a reusable capability.
What makes this approach particularly effective is its persistence and scalability. Once DNS resolution is compromised, every affected request can be weaponized repeatedly without re engaging the victim. Researchers note that attackers can selectively target specific applications, regions, or organizations by controlling which DNS responses are altered, allowing for highly precise campaigns. The malicious infrastructure can also be rotated quickly, making takedowns more difficult and extending the lifespan of the operation.
The abuse of DNS also enables attackers to blend into normal network noise. DNS traffic is ubiquitous, lightweight, and rarely scrutinized in depth, especially in environments that prioritize perimeter defenses over resolver integrity.
By embedding their activity into this layer, Evasive Panda avoids many endpoint based detections and shifts the battle into a part of the network stack that many organizations still implicitly trust.
Modern attackers are now moving lower in the stack, exploiting foundational internet systems rather than user facing weaknesses to gain long term, covert access.