{ "id": "826c5c47-67d6-44eb-bafe-fd7613f5a61b", "created_at": "2026-04-06T00:14:35.972727Z", "updated_at": "2026-04-10T13:11:47.048298Z", "deleted_at": null, "sha1_hash": "02581a19776565cd2db685843cdeeb08d8cdeff3", "title": "Plead malware distributed via MitM attacks at router level, misusing ASUS WebStorage", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 742843, "plain_text": "Plead malware distributed via MitM attacks at router level,\r\nmisusing ASUS WebStorage\r\nBy Anton Cherepanov\r\nArchived: 2026-04-02 12:34:32 UTC\r\nIn July 2018 we discovered that the Plead backdoor was digitally signed by a code-signing certificate that was\r\nissued to D-Link Corporation. Recently we detected a new activity involving the same malware and a connection\r\nto legitimate software developed by ASUS Cloud Corporation.\r\nThe Plead malware is a backdoor which, according to Trend Micro, is used by the BlackTech group in targeted\r\nattacks. The BlackTech group is primarily focused on cyberespionage in Asia.\r\nThe new activity described in this blogpost was detected by ESET in Taiwan, where the Plead malware has always\r\nbeen most actively deployed.\r\nWhat has happened?\r\nAt the end of April 2019, ESET researchers utilizing ESET telemetry observed multiple attempts to deploy Plead\r\nmalware in an unusual way. Specifically, the Plead backdoor was created and executed by a legitimate process\r\nnamed AsusWSPanel.exe. This process belongs to the Windows client for a cloud storage service called ASUS\r\nWebStorage. As seen in Figure 1, the executable file is digitally signed by ASUS Cloud Corporation.\r\nhttps://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/\r\nPage 1 of 8\n\nFigure 1. The AsusWSPanel.exe code-signing certificate\r\nAll observed Plead samples had the following file name: Asus Webstorage Upate.exe [sic]. Our research\r\nconfirmed that the AsusWSPanel.exe module of ASUS WebStorage can create files with such filenames during the\r\nsoftware update process, as seen in Figure 2.\r\nFigure 2. Decompiled code of the ASUS WebStorage client\r\nThere are several possible explanations for why legitimate software could create and execute the Plead malware.\r\nScenario 1 – Supply chain attack\r\nA supply chain opens unlimited opportunities for attackers to stealthily compromise a large number of targets at\r\nthe same time: that’s why the number of supply-chain attacks is increasing. In recent years ESET researchers\r\nanalyzed such cases as M.E.Doc,  Elmedia Player, VestaCP, Statcounter, and the Gaming industry.\r\nFor malware researchers, it’s not always easy to detect and confirm a specific supply-chain attack; sometimes\r\nthere are not enough pieces of evidence to prove it.\r\nWhen we think about the possibility of an ASUS WebStorage supply-chain attack, we should take into account the\r\nfollowing points:\r\nLegitimate ASUS WebStorage binaries were delivered via the same update mechanism\r\nCurrently, we are not aware that ASUS WebStorage servers are used as C\u0026C servers or have served\r\nmalicious binaries\r\nAttackers used standalone malware files instead of incorporating malicious functionality inside legitimate\r\nsoftware\r\nTherefore, we consider the hypothesis of a possible supply-chain attack to be a less likely scenario; however, we\r\ncan’t fully discount it.\r\nScenario 2 – Man-in-the-middle attack\r\nhttps://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/\r\nPage 2 of 8\n\nThe ASUS WebStorage software is vulnerable to a man-in-the-middle attack (MitM). Namely, the software update\r\nis requested and transferred using HTTP; once an update is downloaded and ready to execute, the software doesn’t\r\nvalidate its authenticity before execution. Thus, if the update process is intercepted by attackers, they are able to\r\npush a malicious update.\r\nESET researchers are familiar with cases when malware was delivered using a MitM attack at the ISP level, such\r\nas FinFisher, StrongPity2, and the Turla mosquito case.\r\nAccording to the Trend Micro research mentioned earlier, the attackers behind the Plead malware are\r\ncompromising vulnerable routers and even using them as C\u0026C servers for the malware.\r\nOur investigation uncovered that most of the affected organizations have routers made by the same producer;\r\nmoreover, the admin panels of these routers are accessible from the internet. Thus, we believe that a MitM attack\r\nat the router level is the most probable scenario.\r\nAs mentioned above, the ASUS WebStorage software requests an update using HTTP. Specifically, it sends a\r\nrequest to the update.asuswebstorage.com server, which sends an answer back in XML format. The most\r\nimportant elements in the XML response are the guid and the link. The guid element contains the currently\r\navailable version; the link element contains the download URL used for the update. The update process is simple:\r\nthe software checks whether the installed version is older than the most recent version; if so, then it requests a\r\nbinary using the provided URL, as seen in Figure 3.\r\nhttps://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/\r\nPage 3 of 8\n\nFigure 3. A legitimate communication during an update check of the ASUS WebStorage software\r\nTherefore, attackers could trigger the update by replacing these two elements using their own data. This is the\r\nexact scenario we actually observed in the wild. As shown in Figure 4, attackers inserted a new URL, which\r\npoints to a malicious file at a compromised gov.tw domain.\r\nFigure 4. A captured communication during a malicious update of the ASUS WebStorage software\r\nThe illustration in Figure 5 demonstrates the most likely scenario used to deliver malicious payloads to targets\r\nthrough compromised routers.\r\nhttps://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/\r\nPage 4 of 8\n\nhttps://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/\r\nPage 5 of 8\n\nFigure 5. Man-in-the-middle attack scenario\r\nPlead backdoor\r\nThe deployed Plead sample is a first-stage downloader. Once executed, it downloads the fav.ico file from a server,\r\nwhose name mimics the official ASUS WebStorage server: update.asuswebstorage.com.ssmailer[.]com\r\nThe downloaded file contains an image in PNG format and data used by the malware, which is located right after\r\nPNG data. Figure 6 depicts the specific byte sequence (control bytes) the malware searches for, and then it uses\r\nthe next 512 bytes as an RC4 encryption key in order to decrypt the rest of the data.\r\nFigure 6. The data used by the Plead malware in the downloaded PNG file\r\nThe decrypted data contains a Windows PE binary, which can be dropped and executed using one of the absolute\r\nfilenames and paths:\r\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\slui.exe\r\nhttps://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/\r\nPage 6 of 8\n\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ctfmon.exe\r\n%TEMP%\\DEV[4_random_chars].TMP\r\nBy writing itself to the Start Menu startup folder, the malware gains persistence – it will be loaded each time the\r\ncurrent user logs into the system.\r\nThe dropped executable is a second-stage loader, whose purpose is to decrypt shellcode from its PE resource and\r\nexecute it in memory. This shellcode loads a third-stage DLL, whose purpose is to get an additional module from\r\na C\u0026C server and execute it. The third-stage DLL and downloaded module are thoroughly analyzed by JPCERT\r\nand published in their blogpost (referred to there as \"TSCookie\").\r\nConclusion\r\nAttackers are constantly looking for new ways to deliver their malware in a stealthier way. We see that supply-chain and man-in-the-middle attacks are used more and more often by various attackers all around the globe.\r\nThis is why it’s very important for software developers not only to thoroughly monitor their environment for\r\npossible intrusions, but also to implement proper update mechanisms in their products that are resistant to MitM\r\nattacks.\r\nESET researchers notified ASUS Cloud Corporation prior to this publication.\r\nFor any inquiries, or to make sample submissions related to this subject, please contact us at\r\nthreatintel@eset.com.\r\nIndicators of Compromise (IoCs)\r\nESET detection names\r\nWin32/Plead.AP trojan\r\nWin32/Plead.AC trojan\r\nPlead samples (SHA-1)\r\n77F785613AAA41E4BF5D8702D8DFBD315E784F3E\r\n322719458BC5DFFEC99C9EF96B2E84397285CD73\r\nF597B3130E26F184028B1BA6B624CF2E2DECAA67\r\nC\u0026C servers\r\nupdate.asuswebstorage.com.ssmailer[.]com\r\nwww.google.com.dns-report[.]com\r\nMITRE ATT\u0026CK techniques\r\nhttps://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/\r\nPage 7 of 8\n\nTactic ID Name Description\r\nExecution T1203\r\nExploitation for Client\r\nExecution\r\nBlackTech group exploits a vulnerable update\r\nmechanism in ASUS WebStorage software in order to\r\ndeploy Plead malware in some networks.\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nPlead malware might drop a second stage loader in\r\nthe Start Menu's startup folder.\r\nDefense\r\nEvasion\r\nT1116 Code Signing\r\nSome Plead malware samples are signed with stolen\r\ncertificates.\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nPlead malware encrypts its payloads with the RC4\r\nalgorithm.\r\nCredential\r\nAccess\r\nT1081 Credentials in Files\r\nBlackTech can deploy a module that steals credentials\r\nfrom the victim's browser and email clients.\r\nDiscovery\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nPlead malware allows attackers to obtain a list of\r\nfiles.\r\nT1057 Process Discovery\r\nPlead malware allows attackers to obtain a list of\r\nrunning processes on a system.\r\nCommand\r\nAnd Control\r\nT1105 Remote File Copy\r\nPlead malware allows attackers to upload and\r\ndownload files from its C\u0026C.\r\nT1071\r\nStandard Application\r\nLayer Protocol\r\nPlead malware uses HTTP for communication with\r\nits C\u0026C.\r\nExfiltration T1041\r\nExfiltration Over\r\nCommand and Control\r\nChannel\r\nData exfiltration is done using the already opened\r\nchannel with the C\u0026C server.\r\nSource: https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/\r\nhttps://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/" ], "report_names": [ "plead-malware-mitm-asus-webstorage" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434475, "ts_updated_at": 1775826707, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/02581a19776565cd2db685843cdeeb08d8cdeff3.pdf", "text": "https://archive.orkl.eu/02581a19776565cd2db685843cdeeb08d8cdeff3.txt", "img": "https://archive.orkl.eu/02581a19776565cd2db685843cdeeb08d8cdeff3.jpg" } }