Hackers have learned how to massively and quietly distribute malware through hacking Internet providers
The Chinese hacker group StormBamboo, aka Evasive Panda, hacked an Internet provider and began infecting the computers of its subscribers with malware. This discovery was made by cybersecurity experts from the Volexity company while investigating the hacking of the resources of a certain organization.
![](data:image/svg+xml;charset=utf-8,<svg height="533px" width="800px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
Image source: Cliff Hang / pixabay.com
Volexity initially speculated that the attacked organization’s firewall had been compromised, but further investigation revealed that the malware was traced “upstream to the ISP level.” The source of the problem turned out to be “DNS poisoning,” an attack in which a hacker manipulates the domain name system and redirects user traffic to malicious resources.
Volexity notified the provider about the problem, and the provider examined the operation of the equipment that routes traffic on the network – the provider rebooted and turned off some network components, after which the symptoms of DNS poisoning stopped. Experts blamed the attack on the Chinese hacker group StormBamboo, also known as Evasive Panda.
![](data:image/svg+xml;charset=utf-8,<svg height="424px" width="800px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
Image source: volexity.com
Having intercepted control of the DNS system in the provider’s network, the attackers replaced the resources that user programs access for updates – in particular, the free media player 5KPlayer. When applications tried to receive updates, they received malware packages instead. The StormBamboo hackers have used this attack pattern on several software products that use insecure update mechanisms.
Volexity did not name the Internet provider or the number of computers affected by the attack, but said that we are talking about “multiple incidents” that date back to mid-2023. The victims’ computers ran Windows and macOS, and among the malware were MACMA and MGBot – they allow attackers to remotely take screenshots, intercept keystrokes, and steal files and passwords. The attack on the provider’s resources allegedly used the CATCHDNS malware designed to work in the Linux environment.
Recent Posts
“What do you see: craters or bulges?” – Japanese probe Resilience photographs the south pole of the Moon
The Japanese private probe Resilience has taken a high-quality photo of the Moon's south pole…
A database containing data from 184 million accounts of Apple, Google, Microsoft and other services was just lying on the Internet
Cybersecurity researcher Jeremiah Fowler discovered a publicly available database with more than 184 million logins…
Doom: The Dark Ages Is Rightfully the King. Review
Played on PC In 2016, the Doom series returned to our screens, and did so…
Apple’s 25% tariffs will affect Samsung smartphones, Trump explains
US President Donald Trump this week said he would impose a 25% tariff on iPhones…
Thermaltake Shows Off IX700 PC Case with Immersion Cooling
Thermaltake unveiled a prototype of the IX700 system unit with an immersion cooling system at…
Warhammer 40,000: Boltgun 2 Will Be Released in 2026, and You Won’t Have to Wait for a Free Printed Shooter Based on the First Part
At the Warhammer Skulls 2025 presentation, developers from the British studio Auroch Digital announced a…