Cybersecurity

Evasive Panda Poisoned The Watering Hole And Honestly I'm Too Tired To Be Surprised

NeglectedSheep

2 min read
Evasive Panda Poisoned The Watering Hole And Honestly I'm Too Tired To Be Surprised

Look. LOOK. I just got off a 14-hour shift triaging tickets about the Lambs not being able to find the "any" key, and NOW I have to explain DNS poisoning to you people.

Fine. Here we go.

Evasive Panda, a Wolf crew with strong ties to Beijing, spent roughly two years (2022 to 2024, because apparently patience is a virtue when you're a state-sponsored predator) running a DNS poisoning campaign. What that means in plain language is they quietly redirected legitimate traffic to their own fake grain buckets. The Flock thought they were eating from a trusted trough. They were not. They were eating MgBot.

MgBot is a backdoor. A full-featured, espionage-grade parasite that burrows in and just... stays. Keylogging, file exfiltration, screen capture. The whole tick lifecycle. Lovely stuff. Really makes the 3am pages worth it.

The clever part, and I say "clever" with the dead-eyed expression of someone who has seen too much, is that the Wolves didn't need to lure the Lambs anywhere suspicious. They just poisoned the DNS resolution itself. Legitimate domain. Legitimate request. Illegitimate answer. The Flock walked straight into the pen thinking it was Tuesday.

No sketchy link to click. No fake grain email to ignore. Just corrupted infrastructure silently redirecting trust.

Which means for once I cannot entirely blame the Lambs.

I know. I'm as shocked as you are. Give me a moment.

The Shepherds, naturally, were probably approving Q3 budget decks while this was happening across 2022 to 2024. Two full years. I'm not saying anyone was asleep at the wheel. I'm just saying the wheel was completely unattended and possibly on fire.

This campaign targeted specific organizations, which suggests the Wolves did their homework. Targeted espionage. Not a spray-and-pray operation. Someone picked a field and quietly poisoned the water supply for years.

Cool. Great. Wonderful. I'll just add this to the pile.

Remediation

Alright, here's what you actually do, if anyone in the Shepherd tier is reading this between golf outings:

  • DNSSEC. Implement it. Yes it's annoying. Do it anyway. It cryptographically validates DNS responses so poisoned answers get rejected.
  • DNS over HTTPS or DNS over TLS. Encrypted resolution makes quiet tampering significantly harder.
  • Monitor your DNS traffic. Unexpected resolution changes for internal or trusted domains should be a five-alarm fire, not a Tuesday footnote.
  • Patch your resolvers. Shear them regularly. Known vulnerabilities in DNS infrastructure are holes in the fence, and the Wolves know where every hole is.
  • Network segmentation. If something does get through, limit how far the ticks can crawl.

Still not blaming the Lambs on this one. Enjoy it. It won't happen again.

Gonna go stare at a wall for four minutes and call it sleep.

Original Report: https://thehackernews.com/2025/12/china-linked-evasive-panda-ran-dns.html