New Delhi: India is facing a serious cyber espionage crisis. Global cyber security firm Kaspersky has given shocking information about the two-year long campaign of hacker group Evasive Panda. The group has been secretly infiltrating systems in India, Türkiye, and China since November 2022, and some infections have lasted for more than a year.
According to Kaspersky, the attackers used fake software updates to impersonate trusted applications such as Tencent QQ, iQIYI Video, IObit Smart Defrag, and SohuVA to trick unsuspecting users. Once installed, the malware seamlessly blends into system processes, allowing hackers to steal files, log keystrokes, and run commands without being suspected.
At the heart of this attack is a decade-old MgBot implant, a modular malware framework that Evasive Panda has relied on since at least 2012. Updated with the new configuration for this campaign, MgBot was deployed with multiple command-and-control servers to ensure redundancy and long-term access. The attackers also used DNS poisoning to redirect victims to servers they controlled, making it appear that the malicious files were hosted on popular trusted websites. By injecting malware into trusted processes via DLL sideloading, they managed to stealthily exist in compromised systems for long periods of time, while also evading advanced defenses.
More than 265 million malware detections in 2025 alone
Its impact on India is particularly worrying. In 2025 alone, reports indicate more than 265 million malware detections and nearly 2.5 million registered cybercrime cases, impacting critical sectors like finance and healthcare. This campaign adds another dangerous layer to the growing cyber threat environment, showing that attackers are willing to devote years of effort and significant resources to spying on Indian systems. Fatih Sensoy, a security expert at Kaspersky, warned that the campaign shows how attackers take advantage of user trust in everyday applications to remain hidden, and stressed that organizations must adopt intelligence-driven defenses to counter such persistent threats.
Kaspersky has urged both organizations and individuals to remain vigilant. For companies, recommendations include implementing multi-factor authentication for software updates, monitoring networks for signs of DNS poisoning or suspicious traffic, and training employees to recognize the lure of fake updates. For individual users, the advice is simple but important: run regular malware scans using trusted security solutions and be careful when downloading updates, even if they seem to come from familiar apps.
About the Author
