The Threat CodexNov 20
PlushDaemon compromises network devices for adversary-in-the-middle attacks
#PlushDaemon #EdgeStepper #LittleDaemon #DaemonicLogistics #SlowStepper
https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/
PlushDaemon compromises network devices for adversary-in-the-middle attacks

ESET researchers have discovered a network implant used by the China-aligned PlushDaemon APT group to perform adversary-in-the-middle attacks.

ESET ResearchNov 19
#ESETresearch discovered and analyzed a previously undocumented malicious tool for network devices that we have named #EdgeStepper, enabling China-aligned #PlushDaemon APT to perform adversary-in-the-middle to hijack updates to deliver malware. https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/
When a network device (e.g., a router) is compromised, EdgeStepper begins to redirect all DNS queries to a malicious DNS node that replies with the IP address of the node that performs update hijacking of popular Chinese software such as Sogou Pinyin Method.
When the software communicates with the hijacking node, it issues instructions to download an update for a DLL; in reality, the downloaders that we call LittleDaemon and DaemonicLogistics ultimately deploy the #SlowStepper backdoor.
#SlowStepper is a feature-rich backdoor with a toolkit of more than 30 components. We analyzed and documented it in a previous blogpost about the compromise of a South Korean VPN service provider. https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/
IoCs available on our GitHub repo: https://github.com/eset/malware-ioc/
Hackread.comJan 23, 2025

🚨 PlushDaemon, a China-linked APT targeting S. Korea with a SlowStepper backdoor, SlowStepper. Using a supply chain attack, it infiltrates #VPN software to steal sensitive data.

Read: https://hackread.com/chinese-plushdaemon-apt-south-korean-vpn-backdoor/

#CyberSecurity #PlushDaemon #APT #SlowStepper

Chinese PlushDaemon APT Targets S. Korean IPany VPN with Backdoor

Follow us on Bluesky, Twitter (X) and Facebook at @Hackread

Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News
ESET ResearchJan 23, 2025

#ESETresearch discovered and named πŸ‡¨πŸ‡³ China-aligned #APT group #PlushDaemon who did a supply-chain compromise of a πŸ‡°πŸ‡· South Korean #VPN provider, trojanizing its legitimate software installer with a Windows backdoor we named #SlowStepper.

https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/

The website had been compromised by PlushDaemon since at least November 2023, resulting in users from πŸ‡°πŸ‡· South Korea, πŸ‡¨πŸ‡³ China, and πŸ‡―πŸ‡΅ Japan downloading the trojanized installer, which deployed the legitimate software and SlowStepper.

The installer deploys malicious files that contain several components inside a custom-formatted archive , including loaders, a process monitor , legitimate PE files abused for side-loading, and the SlowStepper backdoor.

SlowStepper has several interesting features such as decoding #DNS TXT records of a malicious domain to obtain its C&C servers, and a 🐚 shell mode with custom commands, one of which executes modules of an extensive toolkit stored at the Chinese code repository #gitcode

We presented about #PlushDaemon at #jpcert_ac on January 22, 2025 at https://jsac.jpcert.or.jp/

IoCs available in our GitHub repository at https://github.com/eset/malware-ioc/tree/master/PlushDaemon

PlushDaemon compromises supply chain of Korean VPN service

ESET researchers uncover a supply-chain attack against a VPN provider in South Korea by a new China-aligned APT group we have named PlushDaemon.