Tech Desk 
Dec 27, 2025
A Chinese cyber threat actor called Evasive Panda has been associated with an elite hacking attack that used legitimate software update messages and relied on internet infrastructure manipulation rather than direct user communication.
Researchers believe that the malicious group, which was also known by names like StormBamboo, Daggerfly, and Bronze Highland, started a prolonged campaign in which it used DNS poisoning to attract targets looking for legitimate software updates to its servers.
These targets were quietly delivered Trojaned files that contained/released a backdoor called MgBot, previously believed to be the creation of this particular hacking crew.
In contrast to traditional phishing attacks where attackers rely on links or files, in this case, the attackers utilised an "adversary in the middle", also known as a man-in-the-middle attack. This attack allowed attackers to manipulate where update requests are going, essentially using trusted update services as malware vectors.
Experts pointed out that DNS tampering is a level lower than the end-user and many security controls in the enterprise, which is why it is so dangerous. Once DNS responses are compromised, attacks can be reused without interaction with the target.
As per the technical analysis, the operation made use of an encrypted payload staging technique, which helps in evading detection. It can also change its infrastructure to proceed with the operation for an extended period. The cyberbattle also exhibited an ability to target particular applications or particular regions or organisations.
