Mastodawn

PlushDaemon compromises network devices for adversary-in-the-middle attacks
#PlushDaemon #EdgeStepper #LittleDaemon #DaemonicLogistics #SlowStepper
https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/

PlushDaemon compromises network devices for adversary-in-the-middle attacks

ESET researchers have discovered a network implant used by the China-aligned PlushDaemon APT group to perform adversary-in-the-middle attacks.

ESET Research Nov 19

#ESETresearch discovered and analyzed a previously undocumented malicious tool for network devices that we have named #EdgeStepper, enabling China-aligned #PlushDaemon APT to perform adversary-in-the-middle to hijack updates to deliver malware. https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/
When a network device (e.g., a router) is compromised, EdgeStepper begins to redirect all DNS queries to a malicious DNS node that replies with the IP address of the node that performs update hijacking of popular Chinese software such as Sogou Pinyin Method.
When the software communicates with the hijacking node, it issues instructions to download an update for a DLL; in reality, the downloaders that we call LittleDaemon and DaemonicLogistics ultimately deploy the #SlowStepper backdoor.
#SlowStepper is a feature-rich backdoor with a toolkit of more than 30 components. We analyzed and documented it in a previous blogpost about the compromise of a South Korean VPN service provider. https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/
IoCs available on our GitHub repo: https://github.com/eset/malware-ioc/

RedPacket Security Jan 28, 2025

PlushDaemon APT Targets South Korean VPN Software in Cyber Espionage Operation - https://www.redpacketsecurity.com/plushdaemon-apt-targeted-south-korean-vpn-software/

#threatintel #PlushDaemon #malware #cyber_espionage

PlushDaemon APT Targets South Korean VPN Software in Cyber Espionage Operation - RedPacket Security

A cyber espionage operation targeting South Korean VPN software was conducted in 2023 by a previously undocumented advanced persistent threat (APT) group,

RedPacket Security

Hackread.com Jan 23, 2025

🚨 PlushDaemon, a China-linked APT targeting S. Korea with a SlowStepper backdoor, SlowStepper. Using a supply chain attack, it infiltrates #VPN software to steal sensitive data.

Read: https://hackread.com/chinese-plushdaemon-apt-south-korean-vpn-backdoor/

#CyberSecurity #PlushDaemon #APT #SlowStepper

Chinese PlushDaemon APT Targets S. Korean IPany VPN with Backdoor

Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News

ESET Research Jan 23, 2025

#ESETresearch discovered and named 🇨🇳 China-aligned #APT group #PlushDaemon who did a supply-chain compromise of a 🇰🇷 South Korean #VPN provider, trojanizing its legitimate software installer with a Windows backdoor we named #SlowStepper.

https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/

The website had been compromised by PlushDaemon since at least November 2023, resulting in users from 🇰🇷 South Korea, 🇨🇳 China, and 🇯🇵 Japan downloading the trojanized installer, which deployed the legitimate software and SlowStepper.

The installer deploys malicious files that contain several components inside a custom-formatted archive , including loaders, a process monitor , legitimate PE files abused for side-loading, and the SlowStepper backdoor.

SlowStepper has several interesting features such as decoding #DNS TXT records of a malicious domain to obtain its C&C servers, and a 🐚 shell mode with custom commands, one of which executes modules of an extensive toolkit stored at the Chinese code repository #gitcode

We presented about #PlushDaemon at #jpcert_ac on January 22, 2025 at https://jsac.jpcert.or.jp/

IoCs available in our GitHub repository at https://github.com/eset/malware-ioc/tree/master/PlushDaemon