ESET Research
@esetresearch.bsky.social
Security research and breaking news straight from ESET Research Labs.
welivesecurity.com/research/
welivesecurity.com/research/
C821B5F25E074F71CD3A36A0F6C5E30E17B1BEEB
C3BC8CB2A44D9EC741493380D28936CE15AB6AA6
8/8
C3BC8CB2A44D9EC741493380D28936CE15AB6AA6
8/8
November 24, 2025 at 5:57 PM
C821B5F25E074F71CD3A36A0F6C5E30E17B1BEEB
C3BC8CB2A44D9EC741493380D28936CE15AB6AA6
8/8
C3BC8CB2A44D9EC741493380D28936CE15AB6AA6
8/8
IoC:
🚨 QuietEnvelope
7C641C8C54C9BF8F6DDC2543675775F332ABB224
D69207244AB48697E15A8BD04D92CC9808C8C994
4ADD582C52D471F552AE3142A60BFAF81EA3AF07
6E2E94CCE6AF92F25C9ED62C4BFE2431C66CABA5
BD05ED2E4135FABFE66E66F2F0D46F7CB3E9412E
95F7CE692877B3A457EAC2E00B51576C4405BC5D 7/8
🚨 QuietEnvelope
7C641C8C54C9BF8F6DDC2543675775F332ABB224
D69207244AB48697E15A8BD04D92CC9808C8C994
4ADD582C52D471F552AE3142A60BFAF81EA3AF07
6E2E94CCE6AF92F25C9ED62C4BFE2431C66CABA5
BD05ED2E4135FABFE66E66F2F0D46F7CB3E9412E
95F7CE692877B3A457EAC2E00B51576C4405BC5D 7/8
November 24, 2025 at 5:57 PM
IoC:
🚨 QuietEnvelope
7C641C8C54C9BF8F6DDC2543675775F332ABB224
D69207244AB48697E15A8BD04D92CC9808C8C994
4ADD582C52D471F552AE3142A60BFAF81EA3AF07
6E2E94CCE6AF92F25C9ED62C4BFE2431C66CABA5
BD05ED2E4135FABFE66E66F2F0D46F7CB3E9412E
95F7CE692877B3A457EAC2E00B51576C4405BC5D 7/8
🚨 QuietEnvelope
7C641C8C54C9BF8F6DDC2543675775F332ABB224
D69207244AB48697E15A8BD04D92CC9808C8C994
4ADD582C52D471F552AE3142A60BFAF81EA3AF07
6E2E94CCE6AF92F25C9ED62C4BFE2431C66CABA5
BD05ED2E4135FABFE66E66F2F0D46F7CB3E9412E
95F7CE692877B3A457EAC2E00B51576C4405BC5D 7/8
The level of sophistication, familiarity with the target environment, and the strings and comments likely intended to blend in suggest that an unknown APT group may be behind this. The debug strings are in simplified Chinese, which is primarily used in Mainland China 🇨🇳. 6/8
November 24, 2025 at 5:57 PM
The level of sophistication, familiarity with the target environment, and the strings and comments likely intended to blend in suggest that an unknown APT group may be behind this. The debug strings are in simplified Chinese, which is primarily used in Mainland China 🇨🇳. 6/8
The third backdoor is injected into a running mgsmtpd process. It is capable of retrieving file content and executing commands. By default, it responds with 250 OK, suggesting that the backdoor is hooked into the code that is maybe responsible for generating the SMTP response. 5/8
November 24, 2025 at 5:57 PM
The third backdoor is injected into a running mgsmtpd process. It is capable of retrieving file content and executing commands. By default, it responds with 250 OK, suggesting that the backdoor is hooked into the code that is maybe responsible for generating the SMTP response. 5/8
The Apache module expects the command, which is executed via popen, in the custom HTTP header OpenfindMaster. The command and the subsequent response are encoded via base64 and encrypted via AES with a hardcoded key that also contains the word Openfind. 4/8
November 24, 2025 at 5:57 PM
The Apache module expects the command, which is executed via popen, in the custom HTTP header OpenfindMaster. The command and the subsequent response are encoded via base64 and encrypted via AES with a hardcoded key that also contains the word Openfind. 4/8
The LKM, internally named smtp_backdoor, monitors ingress TCP traffic on port 6400 and triggers when packets contain the magic string EXEC_OPENFIND: followed by a command. It runs the command and uses a named pipe to read the output, which is then sent back to the client. 3/8
November 24, 2025 at 5:57 PM
The LKM, internally named smtp_backdoor, monitors ingress TCP traffic on port 6400 and triggers when packets contain the magic string EXEC_OPENFIND: followed by a command. It runs the command and uses a named pipe to read the output, which is then sent back to the client. 3/8
The Perl scripts are mainly responsible for deploying three passive backdoors as a loadable kernel module (LKM), an Apache module, and an injected shellcode. Together, they enable the attackers to have a remote access to a compromised server. 2/8
November 24, 2025 at 5:57 PM
The Perl scripts are mainly responsible for deploying three passive backdoors as a loadable kernel module (LKM), an Apache module, and an injected shellcode. Together, they enable the attackers to have a remote access to a compromised server. 2/8
C821B5F25E074F71CD3A36A0F6C5E30E17B1BEEB
C3BC8CB2A44D9EC741493380D28936CE15AB6AA6
8/8
C3BC8CB2A44D9EC741493380D28936CE15AB6AA6
8/8
November 24, 2025 at 5:56 PM
C821B5F25E074F71CD3A36A0F6C5E30E17B1BEEB
C3BC8CB2A44D9EC741493380D28936CE15AB6AA6
8/8
C3BC8CB2A44D9EC741493380D28936CE15AB6AA6
8/8
IoC:
🚨 QuietEnvelope
7C641C8C54C9BF8F6DDC2543675775F332ABB224
D69207244AB48697E15A8BD04D92CC9808C8C994
4ADD582C52D471F552AE3142A60BFAF81EA3AF07
6E2E94CCE6AF92F25C9ED62C4BFE2431C66CABA5
BD05ED2E4135FABFE66E66F2F0D46F7CB3E9412E
95F7CE692877B3A457EAC2E00B51576C4405BC5D 7/8
🚨 QuietEnvelope
7C641C8C54C9BF8F6DDC2543675775F332ABB224
D69207244AB48697E15A8BD04D92CC9808C8C994
4ADD582C52D471F552AE3142A60BFAF81EA3AF07
6E2E94CCE6AF92F25C9ED62C4BFE2431C66CABA5
BD05ED2E4135FABFE66E66F2F0D46F7CB3E9412E
95F7CE692877B3A457EAC2E00B51576C4405BC5D 7/8
November 24, 2025 at 5:56 PM
IoC:
🚨 QuietEnvelope
7C641C8C54C9BF8F6DDC2543675775F332ABB224
D69207244AB48697E15A8BD04D92CC9808C8C994
4ADD582C52D471F552AE3142A60BFAF81EA3AF07
6E2E94CCE6AF92F25C9ED62C4BFE2431C66CABA5
BD05ED2E4135FABFE66E66F2F0D46F7CB3E9412E
95F7CE692877B3A457EAC2E00B51576C4405BC5D 7/8
🚨 QuietEnvelope
7C641C8C54C9BF8F6DDC2543675775F332ABB224
D69207244AB48697E15A8BD04D92CC9808C8C994
4ADD582C52D471F552AE3142A60BFAF81EA3AF07
6E2E94CCE6AF92F25C9ED62C4BFE2431C66CABA5
BD05ED2E4135FABFE66E66F2F0D46F7CB3E9412E
95F7CE692877B3A457EAC2E00B51576C4405BC5D 7/8
The level of sophistication, familiarity with the target environment, and the strings and comments likely intended to blend in suggest that an unknown APT group may be behind this. The debug strings are in simplified Chinese, which is primarily used in Mainland China 🇨🇳. 6/8
November 24, 2025 at 5:56 PM
The level of sophistication, familiarity with the target environment, and the strings and comments likely intended to blend in suggest that an unknown APT group may be behind this. The debug strings are in simplified Chinese, which is primarily used in Mainland China 🇨🇳. 6/8
The third backdoor is injected into a running mgsmtpd process. It is capable of retrieving file content and executing commands. By default, it responds with 250 OK, suggesting that the backdoor is hooked into the code that is maybe responsible for generating the SMTP response. 5/8
November 24, 2025 at 5:56 PM
The third backdoor is injected into a running mgsmtpd process. It is capable of retrieving file content and executing commands. By default, it responds with 250 OK, suggesting that the backdoor is hooked into the code that is maybe responsible for generating the SMTP response. 5/8
The Apache module expects the command, which is executed via popen, in the custom HTTP header OpenfindMaster. The command and the subsequent response are encoded via base64 and encrypted via AES with a hardcoded key that also contains the word Openfind. 4/8
November 24, 2025 at 5:56 PM
The Apache module expects the command, which is executed via popen, in the custom HTTP header OpenfindMaster. The command and the subsequent response are encoded via base64 and encrypted via AES with a hardcoded key that also contains the word Openfind. 4/8
The LKM, internally named smtp_backdoor, monitors ingress TCP traffic on port 6400 and triggers when packets contain the magic string EXEC_OPENFIND: followed by a command. It runs the command and uses a named pipe to read the output, which is then sent back to the client. 3/8
November 24, 2025 at 5:56 PM
The LKM, internally named smtp_backdoor, monitors ingress TCP traffic on port 6400 and triggers when packets contain the magic string EXEC_OPENFIND: followed by a command. It runs the command and uses a named pipe to read the output, which is then sent back to the client. 3/8
The Perl scripts are mainly responsible for deploying three passive backdoors as a loadable kernel module (LKM), an Apache module, and an injected shellcode. Together, they enable the attackers to have a remote access to a compromised server. 2/8
November 24, 2025 at 5:56 PM
The Perl scripts are mainly responsible for deploying three passive backdoors as a loadable kernel module (LKM), an Apache module, and an injected shellcode. Together, they enable the attackers to have a remote access to a compromised server. 2/8
IoCs available on our GitHub repo: github.com/eset/malware... 5/5
GitHub - eset/malware-ioc: Indicators of Compromises (IOC) of our various investigations
Indicators of Compromises (IOC) of our various investigations - eset/malware-ioc
github.com
November 19, 2025 at 10:12 AM
IoCs available on our GitHub repo: github.com/eset/malware... 5/5
#SlowStepper is a feature-rich backdoor with a toolkit of more than 30 components. We analyzed and documented it in a previous blogpost about the compromise of a South Korean VPN service provider. www.welivesecurity.com/en/eset-rese... 4/5
PlushDaemon compromises supply chain of Korean VPN service
ESET researchers uncover a supply-chain attack against a VPN provider in South Korea by a new China-aligned APT group we have named PlushDaemon.
www.welivesecurity.com
November 19, 2025 at 10:12 AM
#SlowStepper is a feature-rich backdoor with a toolkit of more than 30 components. We analyzed and documented it in a previous blogpost about the compromise of a South Korean VPN service provider. www.welivesecurity.com/en/eset-rese... 4/5
When the software communicates with the hijacking node, it issues instructions to download an update for a DLL; in reality, the downloaders that we call LittleDaemon and DaemonicLogistics ultimately deploy the #SlowStepper backdoor. 3/5
November 19, 2025 at 10:12 AM
When the software communicates with the hijacking node, it issues instructions to download an update for a DLL; in reality, the downloaders that we call LittleDaemon and DaemonicLogistics ultimately deploy the #SlowStepper backdoor. 3/5
When a network device (e.g., a router) is compromised, EdgeStepper begins to redirect all DNS queries to a malicious DNS node that replies with the IP address of the node that performs update hijacking of popular Chinese software such as Sogou Pinyin Method. 2/5
November 19, 2025 at 10:12 AM
When a network device (e.g., a router) is compromised, EdgeStepper begins to redirect all DNS queries to a malicious DNS node that replies with the IP address of the node that performs update hijacking of popular Chinese software such as Sogou Pinyin Method. 2/5
IoCs
Android/Spy.NGate.BD
223D7AA925549C9C657C017F06CF7C19595C2CEE
5a341dc1-98f9-4264-859a-e8bc6d236024-00-1vfeomyys26m9.janeway.replit[.]dev
googleplay-santander.pages[.]dev
googleplay-bb.pages[.]dev
googleplay-itau.pages[.]dev
googleplay-mercadolivre.pages[.]dev
googleplay-bradesco.pages[.]dev 4/4
Android/Spy.NGate.BD
223D7AA925549C9C657C017F06CF7C19595C2CEE
5a341dc1-98f9-4264-859a-e8bc6d236024-00-1vfeomyys26m9.janeway.replit[.]dev
googleplay-santander.pages[.]dev
googleplay-bb.pages[.]dev
googleplay-itau.pages[.]dev
googleplay-mercadolivre.pages[.]dev
googleplay-bradesco.pages[.]dev 4/4
November 6, 2025 at 2:00 PM
IoCs
Android/Spy.NGate.BD
223D7AA925549C9C657C017F06CF7C19595C2CEE
5a341dc1-98f9-4264-859a-e8bc6d236024-00-1vfeomyys26m9.janeway.replit[.]dev
googleplay-santander.pages[.]dev
googleplay-bb.pages[.]dev
googleplay-itau.pages[.]dev
googleplay-mercadolivre.pages[.]dev
googleplay-bradesco.pages[.]dev 4/4
Android/Spy.NGate.BD
223D7AA925549C9C657C017F06CF7C19595C2CEE
5a341dc1-98f9-4264-859a-e8bc6d236024-00-1vfeomyys26m9.janeway.replit[.]dev
googleplay-santander.pages[.]dev
googleplay-bb.pages[.]dev
googleplay-itau.pages[.]dev
googleplay-mercadolivre.pages[.]dev
googleplay-bradesco.pages[.]dev 4/4
#NGate captures NFC card data and relays it to an attacker-controlled device, which uses the data for ATM withdrawals or POS payments—all without physical access to the victim’s card. We described #NGate in details in our blogpost in 2024
www.welivesecurity.com/en/eset-rese... 3/4
www.welivesecurity.com/en/eset-rese... 3/4
November 6, 2025 at 2:00 PM
#NGate captures NFC card data and relays it to an attacker-controlled device, which uses the data for ATM withdrawals or POS payments—all without physical access to the victim’s card. We described #NGate in details in our blogpost in 2024
www.welivesecurity.com/en/eset-rese... 3/4
www.welivesecurity.com/en/eset-rese... 3/4
It shares the same package name (com.billy.cardemv) as some #NGate / #PhantomCard variants targeting Brazil, suggesting it could be a new version still focused on Brazil. 2/4
November 6, 2025 at 2:00 PM
It shares the same package name (com.billy.cardemv) as some #NGate / #PhantomCard variants targeting Brazil, suggesting it could be a new version still focused on Brazil. 2/4