My Startup World – Everything About the World of Startups! My Startup World – Everything About the World of Startups! My Startup World – Everything About the World of Startups!
My Startup World – Everything About the World of Startups! My Startup World – Everything About the World of Startups! My Startup World – Everything About the World of Startups!
  • News
  • Interviews
  • How To
  • Startups
  • Innovations
  • Technology
  • Women Entrepreneurs
  • Events
  • Videos
  • News
  • Interviews
  • How To
  • Startups
  • Innovations
  • Technology
  • Women Entrepreneurs
  • Events
  • Videos

ESET Discovers New China-aligned APT Group PlushDaemon

Howsick Vathan Dhas January 24, 2025 Comments Closed 0 likes

ESET researchers have discovered a supply-chain attack against a VPN provider in South Korea by a newly discovered and previously undetected China-aligned APT group that ESET has named PlushDaemon.

In this cyberespionage operation, the attackers replaced the legitimate installer with one that also deployed the group’s signature implant, which ESET has named SlowStepper — a feature-rich backdoor with a toolkit of more than 30 components. The China-aligned threat actor has been active since at least 2019, engaging in espionage operations against individuals and entities in mainland China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand.

“In May 2024, we noticed detections of malicious code in an NSIS installer for Windows that users from South Korea had downloaded from the website of the legitimate VPN software IPany. In further analysis, we discovered that the installer was deploying both the legitimate software and the backdoor. We contacted the VPN software developer to inform them of the compromise, and the malicious installer was removed from their website,” says ESET researcher Facundo Muñoz, who made the discovery.

Additionally, PlushDaemon gains initial access via the technique of hijacking legitimate updates of Chinese applications by redirecting traffic to attacker-controlled servers. ESET has also observed the group gaining access via vulnerabilities in legitimate web servers.

The SlowStepper backdoor is used exclusively by PlushDaemon. This backdoor is notable for its multistage C&C protocol using DNS, as well as its ability to download and execute dozens of additional Python modules with espionage capabilities.

The malware collects a wide range of data from web browsers; is capable of taking photos; scans for documents; collects information from various applications, including messaging applications (e.g., WeChat, Telegram); can spy via audio and video; and steals password credentials.

“The numerous components in the PlushDaemon toolset, and its rich version history, show that, while previously unknown, this China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to watch out for,” concludes Muñoz.

 

Tags: ESET, Facundo Muñoz, PlushDaemon, SlowStepper, supply-chain attack

Have your say!

0 0
Previous ArticleCemex Ventures reveals Top 50 Contech startups for 2025Next Article500 Global launches new fund to fuel tech ecosystem

You May Also Like

Aquila Group opens a new office in Abu Dhabi
April 8, 2025
Progressive Planet secures $1.14 million to reshape the future of cement
April 8, 2025
54% of Gen-Z don’t want to be middle managers
April 7, 2025

News

Aquila Group opens a new office in Abu Dhabi

Progressive Planet secures $1.14 million to reshape the future of cement

54% of Gen-Z don’t want to be middle managers

The Hashgraph Group invests in UAE’s based AgNext

Mining Grid introduces fresh approach to earn Bitcoins

Copyright © 2025 - Zarks Media. All rights reserved
  • Submit Press Release
  • About
  • Contact

Sign In

Remember Me

Lost Password

Lost Password

Please enter your username or email address. You will receive a link to create a new password via email.

Sign In