{ "id": "dec9382c-e640-432f-b9aa-877dc13c6e95", "created_at": "2026-04-06T00:14:06.075086Z", "updated_at": "2026-04-10T03:31:39.357218Z", "deleted_at": null, "sha1_hash": "d33f03378d165b0d2dd54e72a7297f34350d73aa", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47217, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:39:19 UTC\n APT group: PlushDaemon\nNames PlushDaemon (ESET)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2019\nDescription\n(ESET) In May 2024, we noticed detections of malicious code in an NSIS installer for\nWindows that users from South Korea had downloaded from the website of the legitimate\nVPN software IPany (https://ipany.kr/; see Figure 1), which is developed by a South Korean\ncompany. Upon further analysis, we discovered that the installer was deploying both the\nlegitimate software and the backdoor that we’ve named SlowStepper. We contacted the VPN\nsoftware developer to inform them of the compromise, and the malicious installer was\nremoved from their website.\nWe attribute this operation to PlushDaemon – a China-aligned threat actor active since at least\n2019, engaging in espionage operations against individuals and entities in China, Taiwan,\nHong Kong, South Korea, the United States, and New Zealand. PlushDaemon uses a custom\nbackdoor that we track as SlowStepper, and its main initial access technique is to hijack\nlegitimate updates by redirecting traffic to attacker-controlled servers. Additionally, we have\nobserved the group gaining access via vulnerabilities in legitimate web servers.\nObserved Countries: China, Hong Kong, New Zealand, South Korea, Taiwan, USA.\nTools used SlowStepper.\nInformation\nLast change to this card: 22 February 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a4ede8f6-c5bf-4791-97d0-f192fc1ae406\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a4ede8f6-c5bf-4791-97d0-f192fc1ae406\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a4ede8f6-c5bf-4791-97d0-f192fc1ae406" ], "report_names": [ "showcard.cgi?u=a4ede8f6-c5bf-4791-97d0-f192fc1ae406" ], "threat_actors": [ { "id": "4f7a1404-3aa3-4f27-bced-473c16a4b65c", "created_at": "2025-02-23T02:03:22.518463Z", "updated_at": "2026-04-10T02:00:04.855713Z", "deleted_at": null, "main_name": "PlushDaemon", "aliases": [], "source_name": "ETDA:PlushDaemon", "tools": [ "SlowStepper" ], "source_id": "ETDA", "reports": null }, { "id": "a0c10b65-a8bb-473b-85b0-6bacc97ecbd8", "created_at": "2025-03-07T02:00:03.794198Z", "updated_at": "2026-04-10T02:00:03.819825Z", "deleted_at": null, "main_name": "PlushDaemon", "aliases": [], "source_name": "MISPGALAXY:PlushDaemon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434446, "ts_updated_at": 1775791899, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d33f03378d165b0d2dd54e72a7297f34350d73aa.pdf", "text": "https://archive.orkl.eu/d33f03378d165b0d2dd54e72a7297f34350d73aa.txt", "img": "https://archive.orkl.eu/d33f03378d165b0d2dd54e72a7297f34350d73aa.jpg" } }