← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - PlushDaemon compromises network devices for adversary-in-the-middle attacks
WHITE celestre 2025-11-20 Modified: 2025-12-20
41
IOCs
MEDIUM VOLUME
ESET researchers provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant that we have named EdgeStepper, which redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure.
slowstepper cc serverfilename esetslowstepperdescriptionpythonserveripany softwareinstaller dlldll tool
MITRE ATT&CK & Malware Families
MALWARE FAMILIES
SlowStepper
Indicators of Compromise (41)
All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
URL https://gitcode.net/LetMeGo22/caffe/raw/master/models/bvlc_mod 2025-11-20
FileHash-MD5 0ec84f5912b540618695397211189ebb MD5 of ad4f0428fc9290791d550eeddf171aff046c4c2c 2025-11-20
FileHash-MD5 100bd14b76a5e570158811a6af448229 MD5 of 4b194770f6054c513b5a3821cb94feea58c09d3c 2025-11-20
FileHash-MD5 2ba80036b9554d9722e199e9d0065831 MD5 of 2db60f0adef14f4ab3573f8309e6fb135f67ed7d 2025-11-20
FileHash-MD5 3094bd501c2e4630d06f72453ec6d173 MD5 of b5a5da09114f1e8443daf13a799f2645c135b0bc 2025-11-20
FileHash-MD5 e2bc2361ead7c80eba86a5d1c492865d MD5 of 068fd2d209c0bbb0c6fc14e88d63f92441163233 2025-11-20
FileHash-SHA1 00385604a792b8874238e9b0abc98a423135b2f4 2025-11-20
FileHash-SHA1 068fd2d209c0bbb0c6fc14e88d63f92441163233 2025-11-20
FileHash-SHA1 0fa9c4958fbd8513a41056938d5fbce6c63bbe03 2025-11-20
FileHash-SHA1 2db60f0adef14f4ab3573f8309e6fb135f67ed7d 2025-11-20
FileHash-SHA1 3c36574e7683a2c6382dc55345b7d1d544c1c1ef 2025-11-20
FileHash-SHA1 401571851a7cf71783a4cb902db81084f0a97f85 2025-11-20
FileHash-SHA1 4b194770f6054c513b5a3821cb94feea58c09d3c 2025-11-20
FileHash-SHA1 5977a9538627bf274c438fd04a6e20e1a5ba3a4a 2025-11-20
FileHash-SHA1 5a79aea546b04292c099137af4740a944f02963a 2025-11-20
FileHash-SHA1 6b6e16c6e4e5301be715642179b8e19e91f777a4 2025-11-20
FileHash-SHA1 846c025f696da1f6808b9101757c005109f3cf3d 2025-11-20
FileHash-SHA1 ad4f0428fc9290791d550eeddf171aff046c4c2c 2025-11-20
FileHash-SHA1 b5a5da09114f1e8443daf13a799f2645c135b0bc 2025-11-20
FileHash-SHA1 b5b5ab0074f81c02f27d263bc3723809be0d86a8 2025-11-20
FileHash-SHA1 c58d6ac9d0b2d4e1144490ccde581d9c34cbb38e 2025-11-20
FileHash-SHA1 d1eb4427bdb7f59a01fda60811708f07308f7987 2025-11-20
FileHash-SHA1 d22b0db144c1b42b1ce2a1741c83d845092fcc61 2025-11-20
FileHash-SHA1 eeb4a930ef2d4547b96f06ac6783b06e215c2f13 2025-11-20
FileHash-SHA1 eeda5d66285ff8e0baab8621994bf1d365188721 2025-11-20
FileHash-SHA256 062264c360b05c6b8a3598b8cd13c72e6cd3b9e34c4ae2c7fc272659599434c3 SHA256 of ad4f0428fc9290791d550eeddf171aff046c4c2c 2025-11-20
FileHash-SHA256 40df05b4f04ad093b31c9ca07a559be56a700e49f6051b5cb7462db5f85be8c3 SHA256 of 068fd2d209c0bbb0c6fc14e88d63f92441163233 2025-11-20
FileHash-SHA256 4dbd9530dd33ea1c133ebb462afd4feac677051db9453c721890fa7210480113 SHA256 of 4b194770f6054c513b5a3821cb94feea58c09d3c 2025-11-20
FileHash-SHA256 9c82ccddbf3d542a48c4950a82b4f5913c7be9c8e757ba5b78f6ed59979b7fa6 SHA256 of 2db60f0adef14f4ab3573f8309e6fb135f67ed7d 2025-11-20
FileHash-SHA256 c44bb3cdee68d40920b9e36f80b9a3361520f17d6e470a56bd08f8c5b9054b10 SHA256 of b5a5da09114f1e8443daf13a799f2645c135b0bc 2025-11-20
URL https://gitcode.net/LetMeGo22/caffe/raw/master/models/finetune_flickr_to_python/glib 2025-11-20
URL https://gitcode.net/LetMeGo22/caffe/raw/master/models/finetune_flickr_to_python/tmod 2025-11-20
domain gitcode.net 2025-11-20
domain rundll.org 2025-11-20
domain win7py.org 2025-11-20
domain winxppy.org 2025-11-20
hostname 7051.gsm.360safe.company 2025-11-20
hostname agt.wcsset.com 2025-11-20
hostname reverse.wcsset.com 2025-11-20
hostname riskware.mimikatz.cv 2025-11-20
hostname st.360safe.company 2025-11-20
References (1)
↗ https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/