Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor targeting users, predominantly in Poland and Germany.

Tuesday, January 28, 2025 06:00

*   Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor since as early as July 2024 targeting users, predominantly in Poland and Germany, based on the phishing email language. 
*   The actor has delivered different payloads, including Agent Tesla, Snake Keylogger, and a new undocumented backdoor we are calling TorNet, dropped by PureCrypter malware.  
*   The actor is running a Windows scheduled task on victim machines—including on endpoints with a low battery—to achieve persistence.  
*   The actor also disconnects the victim machine from the network before dropping the payload and then connects it back to the network, allowing them to evade detection by cloud antimalware solutions.  
*   We also found that the actor connects the victim’s machine to the TOR network using the TorNet backdoor for stealthy command and control (C2) communications and detection evasion. 

**The campaign **

The intrusions start with a phishing email as the initial infection vector. The actor is impersonating financial institutions and manufacturing and logistics companies by sending fake money transfer confirmations and fake order receipts, respectively. The phishing emails are predominantly written in Polish and German, indicating actor’s intent to primarily target users in those countries. We also found some phishing email samples from the same campaign written in English. We assess with medium confidence that the actor is financially motivated, based on the phishing email themes and the filenames of the email attachments.  

The phishing email has attachments with the file extension “.tgz”, indicating that the actor has used GZIP to compress the TAR archive of the malicious attachment file to disguise the actual malicious content of the attachment and evade email detections. 

Sample phishing email in Polish. 

Sample phishing email in German. 

When a user opens the compressed email attachment and manually unzips it and runs a .NET loader executable, it eventually downloads encrypted PureCrypter malware from a compromised staging server. The Loader decrypts the PureCrypter malware and runs it in the system memory.  

In a few intrusions in this campaign, we found that the PureCrypter malware drops and runs the TorNet backdoor. The TorNet backdoor establishes connection to the C2 server and also connects the victim machine to the TOR network. It has the capabilities to receive and run arbitrary .NET assemblies in the victim machine’s memory, downloaded from the C2 server, increasing the attack surface for further intrusions. 

**.NET loader implants PureCrypter **

Talos found that the compressed attachment files contain a large .NET executable file. The actor has instrumented the .NET executable to either download the next-stage malicious executables from a remote staging server or to reflectively load an embedded malicious binary.  

Some of the loader samples we analyzed in this campaign download the AES-encrypted binary of the PureCrypter malware hosted on compromised websites in paths “/filescontentgalleries/pictorialcoversoffiles/” and “/post-postlogin/” using a hardcoded URL. The encrypted PureCrypter binaries were stored with the arbitrary filenames using different file extensions, including .pdf, .dat, .wav, .vdf, .mp3 and .mp4. The loader decrypts the PureCrypter binary and loads reflectively. 

Snippet of the loader program that downloads the encrypted PureCrypter malware.

Network traffic showing the encrypted PureCrypter malware downloaded from the hosting site. 

In a few other loader samples, we found that the encrypted PureCrypter sample was embedded in the loader, which is decrypted using the AES algorithm and reflectively loaded into the victim machine’s memory.  

Snippet of the loader with embedded PureCrypter binary. 

**PureCrypter drops the TorNet backdoor **

The PureCrypter malware found in this intrusion is a Windows dynamic-link library obfuscated with Eziriz’s .NET Reactor obfuscator. It has resources of encrypted binaries of legitimate DLLs, including Protobuf-net and Microsoft task scheduler DLL along with the TorNet backdoor.  

PureCrypter initially creates a mutex on the victim machine and executes the command to release the currently assigned DHCP IP address of the victim machine, establishes persistence, performs various anti-analysis and detections tasks, drops and runs the payload, and finally executes a command to renew the IP address of the victim machine.  

Cmd /c ipconfig /release 
Cmd /c ipconfig /renew 

The threat actor is likely using this technique to evade detections from the cloud-based anti-malware programs by disconnecting the victim machine from the network and connects back to the network after dropping and running the backdoor.  

The PureCrypter malware performs various anti-debugger, anti-analysis, anti-VM, and anti-malware checks on the victim machine as described below: 

*   It checks if the process is debugged using the function “CheckRemoteDebuggerPresent”. 
*   It checks for the Sandboxie and Cuckoo sandbox environments by enumerating processes to look for “sbieDLL.dll” and “cuckoomon.dll”. 
*   It checks if the DLL is running in the virtual environment by executing the WMI queries and searches for the strings “VMware”, “VIRTUAL”, “AMI”, and “Xen”.  

Select \* from Win32\_BIOS 
Select \* from Win32\_ComputerSystem 

*   It also checks if the process running is associated with “vmGuestLib.dll” to detect the VMWare environment. 
*   It checks if the victim machine username is “john” or “anna” or “xxxxxxxx”.  
*   It checks for the strings “amsi.dll” and “amsiscanbuffer” in the running processes modules of the victim machine.  
*   It checks if the Event Tracing for Windows (ETW) is configured for the victim machine by attempting to check if any processes point to the function “EtwEventWrite” of “ntdll.dll”.  
*   It modifies the Windows Defender settings by executing the PowerShell commands to add its process and the path of the dropped backdoor to the exclusion lists.

Add-MpPreference –ExclusionPath 
Add-MpPreference –ExclusionProcess 

After the evasion checks, PureCrypter decrypts the encrypted backdoor from its resource and drops it to the user profile application temporary folder with a random file name. It also decrypts another file resource using a custom string decryption algorithm, generating the arbitrary filename strings and the task name strings for the Windows Task scheduler.  

PureCrypter establishes the persistence in the Run registry key by adding the path of the loader. It also creates a Windows task using a task name gained by decrypting the strings from the resource file and executes the loader every two to four minutes with no execution time limit. The task can run if the machine switches to battery power and will not stop if it runs on a low battery power. The threat actor has instrumented this technique to possibly ensure an uninterrupted infection avoiding the victim machine operating system to deprioritize the process when a victim machine is running on low battery power mode.  

Code snippet of creating the Windows schedule task. 

PureCrypter drops a Visual Basic script in the Windows startup folder with the instructions to load and execute the dropped backdoor. 

Code Snippet showing the command to drop and execute a VB Script.

After establishing persistence, PureCrypter loads the dropped backdoor by accessing it through a URL scheme “file\[://\]<Path of the dropped backdoor>” and injects the backdoor into the .NET runtime executable process in the victim machine. The threat actor is using this technique to possibly masquerade the file access activity as a web request in the victim machine logs and to bypass detections for loading a file from suspicious file paths on the victim machine.  

Code snippet showing the process injection.

**Payload TorNet creates a backdoor on the victim machine **

Talos discovered a new .NET backdoor as the payload in the recent intrusions of this campaign, which we call TorNet. TorNet backdoor is also obfuscated with Eziriz’s .NET Reactor obfuscator and has hash values for the compilation time. This could be the artifact that was created when the samples were compiled in Visual Studio with the “/deterministic” parameter. When Visual Studio is configured to generate deterministic binaries, the compiled date/time field of the binaries will be replaced by a hash of the compilation options. Talos had previously seen, and reported this technique used by other threat actors to disguise the actual compilation time of the malware binaries.    

TorNet initially decodes a base64-encoded string to obtain the C2 domain, port number, and an alphanumeric string of 16 characters (5e7a81857a353068). It then performs the anti-debugging, anti-malware, anti-VM, and sandbox evasion checks similar to PureCrypter we discussed in the previous section.  

Code snippet showing the base64 string decoding to obtain the string, C2 domain, and port number. 

After the evasion checks, TorNet establishes a TCP socket connection to the C2 server by resolving the IP address of the C2 domain decoded from the base64-encoded string. The connection uses one of the port numbers 8194, 7890, or 8410. We observed that the C2 domains used by the backdoor were resolving to the IP address 104\[.\]168\[.\]7\[.\]37 during the period of our research. 

TorNet backdoor sample connecting to the C2 using the domain and port number.

After establishing the connection to the C2 server, TorNet sends the gained string “5e7a81857a353068” by decoding the base64-encoded strings to the C2 server, creating a hexadecimal byte stream of length 20 and writes it to a memory stream by compressing it using the GzipStream function.  

HEX stream: “3A 12 12 10 35 65 37 61 38 31 38 35 37 61 33 35 33 30 36 38” 

ASCII equivalent: “:<2-byte place holder>\\n5e7a81857a353068” 

TorNet then generates an MD5 hash value of the string “5e7a81857a353068” and uses it as a key to encrypt the compressed 20-byte hexadecimal data stream using the triple DES algorithm. Using the Bitconverter function, TorNet splits the encrypted byte stream and sends it to the C2 server by writing it to the TCP stream through the socket.  

Code snippet of TorNet showing the data exfiltration to the C2 server through sockets. 

The C2 server may send an arbitrary encrypted .NET assembly as a response to a TorNet’s request. TorNet will decrypt the arbitrary binary and reflectively run it. During our research, we were unable to receive a response from the C2, still analyzing the TorNet binary allowed us to assess that the received response will be an arbitrary .NET assembly code, enabling the attack surface for further attack.  

Code snippet for running the received arbitrary .NET assembly. 

TorNet also connects the victim machine to the TOR network. It downloads the TOR expert bundle from the TOR Project archive site, unpacks it and runs the “tor\[.\]exe” as a background process to connect to TOR.  

Code snippet shows the download and execution of tor\[.\]exe. 

Once TOR is running, TorNet connects to the TOR network using the TOR SocksPort (127\[.\]0\[.\]0\[.\]1:9050), and with the “socket.Poll” function, it routes all traffic from the backdoor process on the victim machine through the TOR network. The threat actor is leveraging the TOR network to anonymize the C2 communication and evade detection.  

Connections from TorNet on analysis machine to the TOR nodes.

****Coverage** **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64440, 64439, 64437, 64438 and 301115. 

ClamAV detections are also available for this threat: 

Win.Backdoor.TorNet-10041435-0    
Win.Downloader.TorNet-10041463-0    
Win.Malware.TorNet-10041565-0    
Win.Malware.TorNet-10041601-0    
Win.Trojan.TorNet-10041734-0 

**Indicators of Compromise  **

IOCs for this threat can be found in our GitHub repository here.

New TorNet backdoor seen in widespread campaign

Plus: A hacker finds an issue with Cloudflare’s systems that could reveal app users’ rough locations, and the Trump administration puts a wrench in a key cybersecurity investigation.

This week started off with a bang and just kept going. In the wee hours of Saturday night, TikTok cut off access to users in the United States ahead of Sunday’s deadline that forced Apple and Google to remove the video-sharing app from their app stores. While TikTok was dark, US users raced to get around the TikTok ban while several other unexpected apps saw their access to Americans severed as well. By midday on Sunday, however, TikTok access was already coming back in the US. By Monday night, newly inaugurated US president Donald Trump had signed an executive order delaying the TikTok ban by 75 days.

On Tuesday, Trump made good on his promise to free Ross Ulbricht, the imprisoned creator of the Silk Road dark-web market, where users sold drugs, guns, and worse. Ulbricht had spent more than 11 years behind bars after he was arrested by the FBI in 2013 and later sentenced to life in prison. Trump’s decision to pardon Ulbricht is largely seen as linked to the support he’s received from the libertarian cryptocurrency community, which has long considered the Silk Road creator a martyr.

As the world enters the second Trump era, WIRED sat down with Jen Easterly, who recently left her top spot as director of the Cybersecurity and Infrastructure Security Agency to discuss the cyber threats facing the US and CISA’s uncertain future as the frontline watchdog against nation-state hackers and other digital security threats facing the US.

Lastly, we detailed new research that revealed how trivial bugs had exposed Subaru’s system for tracking the locations of its customers’ vehicles. The researchers found they could access a web portal for Subaru employees that allowed them to pinpoint up to a years’ worth of a car’s location—down to the parking spots they use. The flaws are now patched, but Subaru employees still have access to sensitive driver location data.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Judge Says Controversial FBI Searches Require a Warrant**

A US judge in New York this week found that the FBI’s practice of searching data on US persons under Section 702 of the Foreign Intelligence Surveillance Act without obtaining a warrant is unconstitutional. FISA gives the US government the authority to collect the communications of foreign entities through internet providers and companies like Apple and Google. Once this data was collected, the FBI could perform “backdoor searches” for information on US citizens or residents who communicated with foreigners, and it did so without first obtaining a warrant. Judge DeArcy Hall found that these searches do require a warrant. “To hold otherwise would effectively allow law enforcement to amass a repository of communications under Section 702—including those of US persons—that can later be searched on demand without limitation,” the judge wrote.

**Cloudflare Function Could Expose App Users’ Rough Location**

An “issue” with the basic functionality of internet infrastructure company Cloudflare’s content delivery network, or CDN, can reveal the coarse location of people using apps, including those meant for protecting privacy, according to findings from an independent security researcher. Cloudflare has servers in hundreds of cities and more than 100 countries around the world. Its CDN works by caching peoples’ internet traffic across its servers then delivering that data from the server closest to a person’s location. The security researcher, who goes by Daniel, found a way to send an image to a target, collect the URL, then use a custom-built tool to query Cloudflare to find out which data center delivered the image—and thus the state or possibly the city the target is in. Fortunately, Cloudflare tells 404 Media that it fixed the issue after Daniel reported it.

**Trump Administration Disbands Review Board Investigating China’s Salt Typhoon Attacks**

In one of its first moves after Trump took office on Monday, the Department of Homeland Security let go everyone on the agency’s advisory committees. This includes the Cyber Safety Review Board, which was investigating widespread attacks on the US telecommunications system by the China-backed hacker group Salt Typhoon. US authorities revealed in mid-November that Salt Typhoon had embedded itself in at least nine US telecoms for espionage purposes, potentially exposing anyone using unencrypted calls and text message to surveillance by Beijing. While the future of the CSRB remains uncertain, sources tell reporter Eric Geller that their investigation into Salt Typhoon’s attacks is effectively “dead.”

US Privacy Snags a Win as Judge Limits Warrantless FBI Searches

US prosecutors charged five, including North Koreans, for tricking firms into hiring fake IT workers, sending $866K+ to…

US prosecutors charged five, including North Koreans, for tricking firms into hiring fake IT workers, sending $866K+ to fund weapons programs. Stay alert, and report fraud.

Federal prosecutors in the United States have charged five individuals, including two North Korean nationals, for their roles in a scheme that tricked U.S. companies into **hiring North Korean IT workers**.

According to the Department of Justice (DOJ), the operation funneled hundreds of thousands of dollars to the North Korean government, which, other than **using hackers to steal cryptocurrency**, has been using such tactics to evade sanctions and fund its weapons programs.

The indicted individuals include North Korean nationals Jin Sung-Il and Pak Jin-Song, Mexican national Pedro Ernesto Alonso De Los Reyes, and U.S. citizens Erick Ntekereze Prince and Emanuel Ashtor. They are accused of using stolen identities and fraudulent documents to **pose as legitimate US-based IT professionals**, securing remote jobs with at least 64 American companies.

In a **detailed indictment** (PDF), the DOJ outlined that the group operated from April 2018 to August 2024, using fake identities and falsified documents to bypass hiring checks. Once employed, they allegedly transferred payments amounting to at least $866,255 from ten companies through a Chinese bank account to cover the money trail.

Fake documents used in the scam (Via US DoJ)

A key element of the operation, according to the DOJ’s **press release**, involved “laptop farms,” where company-issued computers were received at U.S. locations and set up with remote access software. This allowed North Korean operatives to control the devices from abroad, creating the impression that the workers were based in the United States.

The scheme came to light following an FBI investigation that led to the recent arrests of Prince and Ashtor in the U.S., while Alonso was apprehended in the Netherlands earlier this month.

All five defendants face charges that include conspiracy to commit wire fraud, identity theft, and money laundering. If convicted, they could face up to 20 years in prison.

****Repeated Pattern****

North Korea has long relied on cyber operations to generate revenue for its government. Thousands of IT workers, primarily based in China and Russia, have been deployed to secure freelance work under false identities. According to U.S. officials, these workers can earn up to $300,000 per year, collectively bringing in millions to support the country’s military ambitions.

To achieve this, they take advantage of online job platforms, social media, and payment services, often using unsuspecting individuals in the U.S. to help move money and avoid detection. In July 2024, cybersecurity firm **KnowBe4 was tricked** by a North Korean hacker posing as an IT worker whose next step was to load malware on a company-issued Macbook.

In response, the U.S. government has issued several warnings to businesses about the risks associated with hiring remote IT workers. The FBI and other agencies have **published guidelines** to help companies spot red flags and protect themselves from falling victim to similar scams.

Authorities are also urging businesses to stay alert when hiring remote workers and to report any unusual activity to the FBI. They emphasize the importance of protecting company data and following international sanctions to help stop this type of fraud.

1.  **Feds Bust N. Korean Identity Theft Ring Targeting US Firms**
2.  **Russian hacker tried hiring Tesla worker for malware attack**
3.  **Hackers used fake job website to scam jobless US veterans**
4.  **Fake LinkedIn job offers scam spreading More\_eggs backdoor**
5.  **Employee Duped by AI-Generated CFO in $25.6M Deepfake Scam**

US Charges Five in North Korean IT Worker Hiring Scam

At Black Hat and DEF CON, cybersecurity experts were asked to game out how Taiwan could protect its communications and power infrastructure in case of invasion by China.

Source: Kevin M. Law via Alamy Stock Photo

If China attacked Taiwan, how could Taiwan defend its critical communications infrastructure from cyberattack?

Last year, Dr. Nina A. Kollars and Jason Vogt — both associate professors at the US Naval War College (USNWC) Cyber and Innovation Policy Institute (CIPI) — designed a war game to inspire some novel strategies. They enlisted government and private sector cybersecurity experts at Black Hat and DEF CON to participate, and presented the results at ShmooCon earlier this month.

The scenario was this:

August 6, 2030. Relations between the PRC and Taiwan had deteriorated to the breaking point due to the re-election of a liberal, pro-independence party. Rhetoric towards independence was at an all-time high, and several government representatives had openly called for UN recognition of Taiwan as an independent state. The Central Committee of the Communist Party (CCCP) decided that the risk of Taiwan declaring independence was high enough to warrant military intervention. They began preparations for an invasion. With little chance of surprise, the PRC decided to do their utmost to disrupt Taiwan’s military and civilian communications prior to the assault.

The experts came up with 65 ways Taiwan's government could prepare for such a war, ranging from the low tech, like using ham radio when mobile networks go down, to the ambitious, such as investing in modular nuclear reactors or tidal power generation, to the outlandish, for example using civilians or cultural artifacts as deterrents against military strikes.

Related:Thai Police Systems Under Fire From 'Yokai' Backdoor

**Taiwan's Unique Indefensibility**

In designing the war game, "We put very specific emphasis on what we call the 'Zelensky playbook,'" Kollars says. Ukrainian President Volodymyr Zelensky made certain that communications could occur between his own people and the capital, and between the capital and the rest of the world. "We went into designing the war game specifically to answer the question: Could the Taiwanese play Zelensky? Even under any kind of duress, could they find a way to keep communicating?"

What was clear early on is that political and geographic factors make Taiwan much more vulnerable to blockade. Ukraine is in mainland Europe, with a long border through which it can receive resources of one kind or another — fuel, Internet connectivity, and food, for example. Taiwan's highly connected populus is served by 16 undersea cables, three of which run through China, making them eminently cuttable. Meanwhile, it imports nearly all of its energy from overseas, and has been phasing out domestic nuclear power, which might otherwise provide a balance. "So pretty quickly you get this pretty dire picture, where it's just a fundamentally different kind of battle," Kollars explains.

Related:Russian FSB Hackers Breach Pakistani APT Storm-0156

"Taiwan is in a very vulnerable position because of its geography, but also because of a million little micro-decisions, which ultimately give you the telecommunications and power system that you have," Vogt says. At the time of Russia's invasion, "Ukraine had a much more diverse set of mobile providers, and the power was much more distributed — there's a lot more connections to other countries. So the Russians were probably never in a position where they could digitally isolate Ukraine, writ large. They tried to do it to the capital, but it was always going to be very hard for them. I think in the Taiwan–China scenario, China has the potential to be much more damaging."

**How to Defend Taiwan from China**

Initially, players devised strategies to combat aggressive but ultimately tempered cyberwarfare: ransomware attacks against data centers, severed submarine fiber optic cables, and forced power outages. Only then did China kick up its game with kinetic strikes, including PRC strikes on Taiwanes aircraft and ensuring that nothing can fly in Taiwanese airspace. In the scenario, PRC also destroyed bridges and key routes to coastal defenses, while also targeting Taiwan's command-and-control systems and all manner of communications systems.

Related:Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel

How could a small island nation possibly protect its infrastructure against the combined might of the world's second greatest military power?

More than two-thirds (70%) of the solutions proposed by players involved investing in infrastructure for communications, power generation, storage, and data backup and distribution. Some 20% of the ideas focused on recovery — preparing civilians with technical skills, and stockpiling spare resources, for example. Only 10% of recommendations focused on straight cybersecurity.

The physical location of critical resources was also of utmost importance. Some suggested that Taiwan take advantage of its geography by building and stockpiling equipment along its far coast, in forests, and nestled in its eastern mountain range. Some suggested decentralizing its infrastructure, spreading it out in smaller chunks all around the country using solar power and cheap radio systems. Others argued for the opposite: concentrating communications and power systems in fewer, denser areas that China might be reticent to destroy.

"There were some ideas I thought, from a military perspective, were pretty risky," Kollars admits. "One of them was to colocate all of Taiwan's precious assets — like the TSMC semiconductor plant, all of its antiquities from China, large populations, and a nuclear power plant — assuming an adversary wouldn't strike a target that had everything stacked on top of it. That's a heck of a gamble."

Ultimately, the most popular ideas were those that were cheap and practical, like using Bluetooth or Raspberry Pi mesh networks as backups to cellular connectivity. "The thing that surprised us most about this exercise," Vogt recalls, "was how much time they spent talking about the civilian population, and what needed to be done to prepare them: everything from public messaging campaigns on how to be cyber secure to full-on training programs to create civilian cyber cores that could not just protect themselves but also operate and maintain equipment when there's no government around, and keep the communications going for longer periods of time."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

War Game Pits China Against Taiwan in All-Out Cyberwar

Cybersecurity firm ESET uncovers PlushDaemon, a previously unknown APT group targeting South Korea, deploying a SlowStepper backdoor. This…

Cybersecurity firm ESET uncovers PlushDaemon, a previously unknown APT group targeting South Korea, deploying a SlowStepper backdoor. This article analyses the attack techniques, the capabilities of the SlowStepper malware, and the growing threat posed by this sophisticated APT group. 

Cybersecurity firm ESET has identified a new China-aligned Advanced Persistent Threat (APT) group, dubbed “PlushDaemon,” behind a cyber espionage operation targeting South Korea.

The attack camaign nvolved a **supply chain compromise**, where attackers infiltrated the legitimate update channels of IPany, a popular South Korean VPN software. PlushDaemon then replaced genuine installers with trojanized versions, which upon download and execution, deployed both the legitimate IPany VPN software and a custom backdoor named SlowStepper.

This means, by replacing the genuine installer with a trojanized version, PlushDaemon successfully embedded a malicious backdoor within the software. As per ESET’s **research**, SlowStepper is a feature-rich backdoor boasting over 30 modules. It is designed for extensive surveillance and data collection.

Written in C++, Python, and Go, the malware possesses a wide range of capabilities, including stealing sensitive data such as system information, user credentials, and network configurations, recording audio and video, enabling attackers to monitor their targets’ activities, and gathering detailed information about the victim’s network environment.

Webpage on the IPany site where the malicious installer was available for download (Via ESET)

In addition, the backdoor features advanced persistence mechanisms, such as deploying files that ensure the continued presence of SlowStepper on infected systems and utilizing legitimate tools to sideload malicious code. The trojanized installer utilize advanced communication methods to connect with command-and-control (C&C) servers.

Instead of embedding IP addresses directly within the malware, SlowStepper crafts DNS queries to retrieve TXT records containing base64-encoded, AES-encrypted C&C server addresses. This multi-layered approach makes detection more challenging.

While ESET telemetry revealed manual downloads of the compromised software, suggesting a broad targeting strategy, the attack specifically focused on entities within South Korea’s critical semiconductor and software industries. The timely intervention of ESET, which alerted IPany to the compromised installer, prevented further widespread infection. 

Although only recently discovered, researchers believe the PlushDaemon APT has been active since 2019, consistently building a diverse and powerful arsenal of tools. The sophistication of SlowStepper and the successful execution of this supply chain attack highlight the growing threat posed by this actor. 

To stay safe from these cyber espionage groups there is an urgent need for continuous monitoring. Organizations must prioritize software update channel security and implement stringent verification procedures to ensure the integrity of all updates. Additionally, proactive **threat intelligence** sharing are vital for identifying and mitigating such attacks before they inflict damage.

1.  **Hackers cloned NordVPN website to drop banking trojan**
2.  **Hackers clone ProtonVPN website with password stealer**
3.  **Fake VPN website delivering password-stealing malware**
4.  **N. Korean APT37 Unleashes Dolphin Backdoor on S. Korea**
5.  **Dark web hackers selling S. Korean, US payment card data**

Chinese PlushDaemon APT Targets S. Korean IPany VPN with Backdoor

Such routers typically lack endpoint detection and response protection, are in front of a firewall, and don't run monitoring software like Sysmon, making the attacks harder to detect.

Source: LJSphotography via Alamy Stock Photo

Dozens of organizations have been infected with router malware that uses a packet-sniffing technique to minimize its footprint.

Rather than their far more popular Cisco counterparts, the campaign, which Black Lotus Labs named "J-magic," hones in on Juniper-brand routers at the edge of high-value networks. Exposed enterprise routers are tapped with a variant of a quarter-century-old backdoor, "cd00r," which stays dormant until it receives an activation phrase — a "magic packet." Only then does it grant access to a reverse shell, from which its attackers can steal data, manipulate configurations, and spread to more devices.

"There's been a lot of emphasis on small office/home office (SOHO) devices, but attackers are just as active in the enterprise space," warns Danny Adamitis, principal information security engineer with Black Lotus Labs. "It's just that they're living on these devices that don't really have endpoint detection and response (EDR), that are in front of a firewall, and don't really run things like Sysmon, so it's a little bit harder for people to detect these attacks."

**Backdoor Malware Infests Juniper Routers**

Exactly how the hackers obtained initial access to affected routers is unknown, but the openings they exploited are clear. Around half the Juniper routers victimized by J-magic were configured as virtual private network (VPN) gateways, and the other half possessed exposed Network Configuration Protocol (NETCONF) ports, which allow administrators to remotely manage and configure network settings, but also allow attackers to sneak through and do the same. These routers served as points of entry and control for much larger networks, affording attackers a wide canvas for their malicious deeds.

Related:Omdia Finds Phishing Attacks Top Smartphone Security Concern for Consumers

To exploit these prized devices, the attackers install their malware, cd00r, in a position where it can observe all TCP traffic coming into the edge device. Then it waits for one of five predefined packets meeting highly specific conditions, which act like an activation phrase. When a packet meeting one of these presets is received, the program will spawn a reverse shell connected to the attacker's IP address, through the port specified in the magic packet.

The technique works because it circumvents the already limited methods defenders have for picking up on edge malware. In a typical infection, Adamitis says, "If you're able to monitor traffic from a firewall or router, you can see that there is a beacon that occurs at a set interval. And if you perform a time series analysis, you can see activity continuously occurring with that interval, and it kind of stands out. With something like this, you don't have that consistent call out. This will evade that form of detection."

Related:Automox Releases Endpoint Management With FastAgent

A J-magic attack isn't entirely complete upon reception of the magic packet, though. To confirm that the handler is the intended attacker — not just some passerby trying to piggyback on their work — cd00r sends out a "challenge" string encrypted with a hardcoded public key. Only if the attacker passes this test — by returning the string back using their associated private key — do they obtain control over the reverse shell, and with it the power to control the infected device, steal enterprise data, and deploy further malware.

Evidence of these J-magic infections dates back to September 2023, but the majority of cases appear to have popped up in the spring and summer of 2024. In that year or so, cd00r spread to the US, the UK, Russia, Norway, India, and more countries in between, affecting organizations in construction, bioengineering, insurance, and IT services, among others.

**Blind Spot in Edge Network Cybersecurity**

Easily overlooked is the fact that cd00r, though updated with new features, is a 25-year-old program. It was originally developed and released in 2000, as a proof-of-concept (PoC) for an "invisible" backdoor, on the information security website Packet Storm.

Related:15K Fortinet Device Configs Leaked to the Dark Web

That such an old, and in some ways atavistic, malware would still suffice in 2025 speaks to just how much attackers can get away with in edge networks.

"On your corporate laptop, you probably have Windows Defender and something from your favorite EDR vendor. There tend to be a lot of vendors for end-user workstations, but edge devices don't really seem to have anything on them. So by living in those blind spots, attackers are able to get away with using this 20-year-old malware, because there's no one and nothing on that particular device to actually capture that sort of user interaction," Adamitis says.

"The reporting around these kinds of enterprise-grade routers tends to be a lot more sparse," he adds. "What we're trying to say is: We think there might be this low visibility spot in the perimeter."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Black 'Magic' Targets Enterprise Juniper Routers With Backdoor

Enterprise-grade Juniper Networks routers have become the target of a custom backdoor as part of a campaign dubbed J-magic.
According to the Black Lotus Labs team at Lumen Technologies, the activity is so named for the fact that the backdoor continuously monitors for a "magic packet" sent by the threat actor in TCP traffic. 
"J-magic campaign marks the rare occasion of malware designed

Custom Backdoor Exploiting Magic Packet Vulnerability in Juniper Routers

Advanced persistent threat group PlushDaemon, active since 2019, is using a sophisticated modular backdoor to collect data from infected systems in South Korea.

Source: BeeBright via Shutterstock

A newly discovered Chinese threat group has targeted a South Korean VPN developer with a supply chain attack aimed at deploying a custom backdoor to collect data for cyber-espionage purposes.

The group, dubbed PlushDaemon by the researchers at ESET Research who discovered it, typically aims to hijack legitimate updates of Chinese applications in its malicious operations "by redirecting traffic to attacker-controlled servers," according to a blog post by ESET researcher Facundo Muñoz published on Jan. 22. "Additionally, we have observed the group gaining access via vulnerabilities in legitimate web servers," he wrote.

However, the researchers also discovered the group in May 2024 planting malicious code in an NSIS installer for the Windows version of the VPN software of South Korean company IPany, representing a departure from its typical operations, they said. ESET notified IPany and the malicious installer was removed from the company's website.

PlushDaemon has been active since at least 2019, engaging in cyberespionage operations against individuals and entities in mainland China, Taiwan, Hong Kong, South Korea, the US, and New Zealand. The group is the exclusive user of several types of malware in its malicious activities, mostly notably a custom, modular backdoor for collecting various data from infected machines, called SlowStepper for Windows, according to ESET.

**Atypical Supply-Chain Attack**

The first sign of the supply-chain attack came in May 2024, when ESET researchers noticed detections of malicious code in an NSIS installer for Windows that users from South Korea had downloaded from the IPany website.

"The victims appear to have manually downloaded a ZIP archive containing a malicious NSIS installer from the URL https://ipany\[.\]kr/download/IPanyVPNsetup.zip," Muñoz wrote. However, the researchers didn't find suspicious code on the download page "to produce targeted downloads, for example by geofencing to specific targeted regions or IP ranges." This led them to believe that "anyone using the IPany VPN might have been a valid target."

Several users attempted to install the Trojanized software in the network of a semiconductor company and an unidentified software development company in South Korea. Further research found even older cases of infection via the campaign, with the two oldest coming from a victim in Japan in November 2023 and a victim in China in December 2023, the researchers said.

**SlowStepper Backdoor**

The payload in the supply chain attack is PlushDaemon's own SlowStepper backdoor, which has more than 30 modules. However, the group used a "lite" version of the backdoor in the IPany attack, which contains fewer features than other previous and newer versions, the researchers said.

The backdoor features a multistage command-and-control (C2) protocol using DNS, and is known for its ability to download and execute dozens of additional Python modules with espionage capabilities.

"Both the full and Lite versions make use of an array of tools programmed in Python and Go, which include capabilities for extensive collection of data, and spying through recording of audio and videos," Muñoz wrote.

The researchers found PlushDaemon's tools stored in a remote code repository hosted on the Chinese platform GitCode, under the LetMeGo22 account. At the time of writing, the profile was private.

**Another Chinese APT Emerges**

China already has a raft of known and active APTs that regularly and persistently engage in cyberespionage activities against the US and its allies. One of the most notable operations of late was the infiltration of US broadband provider networks by Chinese APT Salt Typhoon; however, the investigation into that incident was dealt a significant blow on Jan. 21, when President Trump, on his second day back in office, fired the cyber safety board looking into it.

However, with a new, sophisticated actor like PlushDaemon now emerging from the shadows, organizations need to be more vigilant than ever against malicious cyber activity from China, Muñoz said.

"The numerous components in the PlushDaemon toolset and its rich version history show that, while previously unknown, this China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to watch for," he wrote.

To that end, ESET included a link to its GitHub repository that contains a comprehensive list of indicators of compromise (IoCs) and samples of PlushDaemon activity.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Chinese Cyberspies Target South Korean VPN in Supply Chain Attack

Feeling creative? Have something to say about cybersecurity? Submit your caption and our panel of experts will reward the winner with a $25 gift card.

What motivates you? What will change how you do security? Send us a cybersecurity-related caption to describe the above scene and our favorite entry will win its wordsmith a $25 gift card.

Here are four convenient ways to submit your ideas before the Feb. 12 deadline:

*   Via social media: Bluesky, LinkedIn, Facebook, and X. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Shout out — and a $25 gift card — to Paul Mauriks, ICT security specialist, technology solutions, at the Department of Justice and Community Safety in Victoria, Australia for sending us the winning caption for last month's "Sneaking Around" cartoon. Some noteworthy contenders included "I guarantee you there are no backdoors to our network," "Finally found a way to get rid of all that old IT gea.," and "‘Yeah, asset disposal by ‘Back Door Inc.’ I’ll do the supplier assessment thing on Monday…’" Congrats to Paul, and a big thank you to all who participated.

**About the Author**

Cartoonist

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Toon: Incentives

The US Department of Commerce will prohibit the import of components for connected vehicles from China or Russia, as the US continues to ban technology it sees as potential national security threats.

Source: Hsyn20 via Shutterstock

Smart-vehicle makers are facing supply chain disruption as the US Department of Commerce plans to enforce new regulations banning the import of connected-vehicle technology from China and Russia over cybersecurity fears.

The Commerce Department pursued new regulations after President Biden declared a national emergency over concerns that the United States had become overreliant on China for information and communications technology and services (ICTS). The rule mandates that companies and their suppliers eliminate hardware or software imported from China or Russia in their vehicle connectivity system (VCS) or in their automated driving system (ADS).

It aims to address two concerns: vulnerabilities that would allow a nation-state or criminal organization to implant a backdoor in automotive hardware or software; and the collection of data on US drivers through diagnostic features and other mechanisms, says Yoav Levy, CEO and co-founder of automotive cybersecurity provider Upstream.

"The threat is definitely real," he says. "There are many cases where cars could be hacked — including the safety elements within the cars — and there were many cases where data was stolen or leaked. ... But so far, we haven't seen something like that on a huge scale."

Related:Leveraging Behavioral Insights to Counter LLM-Enabled Hacking

The concerns come as software-defined vehicles (SDVs) shake up the automotive market, while also potentially increasing the cyberattack surface area of automobiles. In the past, vehicle makers created a variety of platforms for their different models, and the number of processors — known as electronic control units (ECUs) — quickly climbed. While the post-pandemic chip shortage slowed the shift to new platforms, manufacturers now aim to quickly reduce the number of ECUs and other hardware needed for the VCS and ADS systems. While current models, for example, can have as many as 130 ECUs, Rivian has already reduced the number of ECUs to seven in its second generation R1 vehicles.

**Wielding the Cyber-Ban Hammer**

Rivian aside, most automobiles have a wide variety of components sourced from China, raising concerns that the United States' reliance on the technologies could allow future compromises.

Banning technology from China and sanctioning Russia is nothing new, says Ivan Novikov, CEO at API security firm Wallarm. The US government has already raised cybersecurity concerns over telecommunications equipment from Huawei, Chinese-made cargo equipment at US seaports, home routers made by Chinese manufacturer TP-Link, and popular social media app TikTok.

Related:Strategic Approaches to Threat Detection, Investigation & Response

"This is kind of the next logical step," he says.

The new commerce regulations will prohibit any "transactions involving VCS hardware and covered software designed, developed, manufactured, or supplied" by people or organizations linked to China or Russia, according to a 213-page final rule, which will be put into effect after months of comments.

Yet, many implementation details remain unclear, Novikov says.

"The open question here is who will enforce the regulations, because the usual enforcement of security requirements and crash \[safety\] tests is under the Department of Transportation," he says. "It's unclear how these two agencies can work together, and how this final DoT requirements or restrictions or controls can work."

**Securing Supply Chains & the Economy?**

The impact on the supply chain will be significant, experts say. The first tier of OEMs — large US and international companies — are not the problem. Their products, however, often come from suppliers that source their own components from Chinese companies, says Alex Oyler, director for North America at industry consultancy SBD Automotive.

It's just one more way that the supply chain is currently undergoing changes, he says. Many carmakers are looking to rewrite their relationships with providers as they move to software-defined vehicles.

Related:Trusted Apps Sneak a Bug Into the UEFI Boot Process

"We're in a bit of a different phase of software-defined vehicle in the sense that OEMs are actually starting to become a lot more prescriptive in the specification of the components that they're sourcing," Oyler says. "It's more of what's called a build-to-print relationship, where they provide not the functional requirements, but requirements for the component architecture — we want this processor, we need this memory, we need this GPU."

The shift to other sources of supply will take years, with the Biden administration allowing carmakers a grace period to comply with the regulations: Software components can no longer be sourced from China and Russia starting with 2027 car models, while by 2030 car models must contain no hardware from prohibited sources.

Making such changes will not be easy, says Upstream's Levy.

"It's not that easy to replace a supplier," he says. "There are financial implications with the supply chain — maybe it's going to be more expensive, or there may be some changes to software that they would need to do for the for the new supplier — an adjustment to the architecture. ... It really depends on what they are actually going to replace."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tag

#backdoor