{"id":3572,"date":"2025-11-19T15:31:57","date_gmt":"2025-11-19T15:31:57","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/11\/19\/plushdaemon-hackers-unleash-new-malware-in-china-aligned-spy-campaigns\/"},"modified":"2025-11-19T15:31:57","modified_gmt":"2025-11-19T15:31:57","slug":"plushdaemon-hackers-unleash-new-malware-in-china-aligned-spy-campaigns","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/11\/19\/plushdaemon-hackers-unleash-new-malware-in-china-aligned-spy-campaigns\/","title":{"rendered":"PlushDaemon Hackers Unleash New Malware in China-Aligned Spy Campaigns"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\">\n<div id=\"layout-da011bae-2f8a-4260-8064-8995d60d0c27\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A China-aligned hacking group known for its global cyber espionage campaigns has been observed deploying an undocumented network implant that it uses to conduct adversary-in-the-middle (AitM) attacks.<\/p>\n<p>The group, PlushDaemon, has been active since at least 2018 and has targeted organizations in Cambodia, South Korea, New Zealand, the US, Taiwan and even Hong Kong and China.<\/p>\n<p>While the group\u2019s main initial access vector is hijacking legitimate updates of Chinese applications, it was identified as the culprit behind a supply chain attack targeting IPany, a South Korean VPN company, in May 2024.<\/p>\n<p>While investigating the group\u2019s techniques, tactics and procedures (TTPs) in 2024, ESET researchers discovered an Executable and Linkable Format (ELF) file, called bioset, submitted to VirusTotal that contained two subdomains from PlushDaemon\u2019s infrastructure.<\/p>\n<p>The researchers analyzed the suspicious file, internally named dns_cheat_v2 by its developers, and found that it was a new AitM tool that forwards domain name system (DNS) traffic from machines in a targeted network to a malicious DNS node.<\/p>\n<p>This allows the attackers to redirect the traffic from software updates to a hijacking node that serves instructions to the legitimate software to download a malicious update.<\/p>\n<p>Once inside, the PlushDaemon operators drop two downloaders, LittleDaemon and DaemonLogistics, which deliver a backdoor toolkit designed for cyber espionage operations.<\/p>\n<p>\u201cThese implants give PlushDaemon the capability to compromise targets anywhere in the world,\u201d wrote the researchers.<\/p>\n<p>The researchers codenamed the tool EdgeStepper and provided a malware analysis in a report published on November 19.<\/p>\n<\/p><\/div>\n<figure id=\"layout-1c5dbdda-a6df-419d-9315-927b64c8bebc\" data-layout-id=\"4\" data-edit-folder-name=\"image\" data-index=\"1\"><img decoding=\"async\" src=\"http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/localimages\/caa9d5f8-0981-4fba-8878-cd670d435c7d.png\" alt=\"Illustration of key stages in PlushDaemon's adversary-in-the-middle attack using EdgeStepper. Source: ESET\"><figcaption>Illustration of key stages in PlushDaemon&#8217;s adversary-in-the-middle attack using EdgeStepper. Source: ESET<\/figcaption><\/figure>\n<div id=\"layout-9dea817c-e25a-4a60-bf21-7e5fb226d2f8\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"2\">\n<p>\u201cIt is important to note that it is unlikely that EdgeStepper is the only component deployed on the compromised network device. Unfortunately, we don\u2019t have samples of other components in the compromise chain,\u201d the ESET researchers wrote.<\/p>\n<p>In the 2024 cyber-attack against IPany, PlushDaemon was observed using another piece of malware, a Windows backdoor with a toolkit of over 30 components dubbed SlowStepper by ESET.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A China-aligned hacking group known for its global cyber espionage campaigns has been observed deploying an undocumented network implant that it uses to conduct adversary-in-the-middle (AitM) attacks. The group, PlushDaemon, has been active since at least 2018 and has targeted organizations in Cambodia, South Korea, New Zealand, the US, Taiwan and even Hong Kong and<\/p>\n","protected":false},"author":2,"featured_media":3573,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3572","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3572-89a8b33d-7a2b-4753-be50-ea9487ae554f.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3572-89a8b33d-7a2b-4753-be50-ea9487ae554f-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3572-89a8b33d-7a2b-4753-be50-ea9487ae554f.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3572-89a8b33d-7a2b-4753-be50-ea9487ae554f.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3572-89a8b33d-7a2b-4753-be50-ea9487ae554f.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3572-89a8b33d-7a2b-4753-be50-ea9487ae554f.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3572-89a8b33d-7a2b-4753-be50-ea9487ae554f.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3572-89a8b33d-7a2b-4753-be50-ea9487ae554f.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3572-89a8b33d-7a2b-4753-be50-ea9487ae554f.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3572-89a8b33d-7a2b-4753-be50-ea9487ae554f.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3572-89a8b33d-7a2b-4753-be50-ea9487ae554f-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3572","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3572"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3572\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3573"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3572"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3572"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3572"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}