The Chinese hacker group StormBamboo has executed sophisticated malware attacks targeting Windows and macOS systems by compromising an internet service provider (ISP) and employing DNS poisoning techniques.

By altering DNS query responses for specific domains related to software updates, StormBamboo redirected requests to their servers, resulting in the installation of malware instead of legitimate updates.

The investigation into these attacks began in mid-2023 after the attackers compromised the ISP's systems, which allowed them to manipulate communication between targeted devices and trusted servers.

The malware deployed in these attacks included variants such as MgBot and Macma, which have been used for over a decade against various targets, including Tibetan organizations.

These attacks delivered new variants of the Macma backdoor and other malware designed to exfiltrate sensitive data from infected networks.

To mitigate similar threats, organizations are advised to implement secure HTTPS for updates, audit their network infrastructure, and ensure robust digital signature verification.

The poisoned DNS records were traced back to an attacker-controlled server in Hong Kong, and the DNS poisoning ceased once the ISP took certain network components offline.

Although identifying the specific compromised device proved challenging, the overall malicious activity stopped after the ISP rebooted key network devices.

This incident highlights the vulnerabilities associated with insecure software update mechanisms and the advanced tactics employed by threat actors like StormBamboo.

Volexity has published indicators of compromise related to the attack, providing resources for organizations to detect potential impacts from these malicious activities.

The campaign's detection and subsequent analysis revealed similarities to previous attacks attributed to another group, DriftingBamboo, indicating a broader trend in cyber espionage tactics.