India Under Cyber Attack: Evasive Panda Spies Through Fake App Updates, Steals Data for Years

New Delhi: India is staring at a serious cyber espionage crisis as global cybersecurity firm Kaspersky has revealed alarming details about a two-year-long campaign by the hacker group Evasive Panda. The group has been secretly infiltrating systems in India, Turkey, and China since November 2022, with some infections lasting for more than a year. 

According to Kaspersky, the attackers used fake software updates disguised as trusted applications like Tencent QQ, iQIYI Video, IObit Smart Defrag, and SohuVA to trick unsuspecting users. Once installed, the malware blended seamlessly into legitimate system processes, allowing hackers to steal files, log keystrokes, and execute commands without raising suspicion.

At the heart of the attack is the decade-old MgBot implant, a modular malware framework that Evasive Panda has relied on since at least 2012. Updated with new configurations for this campaign, MgBot was deployed with multiple command-and-control servers to ensure redundancy and long-term access. The attackers also used DNS poisoning to redirect victims to servers under their control, making it appear as though malicious files were hosted on popular legitimate websites. By injecting malware into trusted processes through DLL sideloading, they managed to maintain a stealthy presence in compromised systems for extended periods, evading detection even by advanced defenses. 

The impact on India is particularly worrying. In 2025 alone, reports indicated over 265 million malware detections and nearly 2.5 million registered cybercrime cases, affecting critical sectors such as finance and healthcare. This campaign adds another dangerous layer to the growing cyber threat landscape, showing that attackers are willing to invest years of effort and significant resources to spy on Indian systems. Fatih Sensoy, a security expert at Kaspersky, warned that the campaign demonstrates how attackers exploit user trust in everyday applications to stay hidden, stressing that organizations must adopt intelligence-driven defenses to counter such persistent threats. 

Kaspersky has urged both organisations and individuals to remain vigilant. For companies, the recommendations include enforcing multi-factor authentication for software updates, monitoring networks for signs of DNS poisoning or suspicious traffic, and training employees to recognize fake update lures. For individual users, the advice is simple but critical: run regular malware scans using trusted security solutions and be cautious when downloading updates, even if they appear to come from familiar apps. 

Read More: DoT Says New Telecom Cybersecurity Rules Are Now In Force: What It Means