SlowStepper
SlowStepper is a custom, modular Windows backdoor used by the China-aligned espionage group PlushDaemon. It is described as the group’s signature implant and is delivered through adversary-in-the-middle software update hijacking operations. In the observed intrusion chain, PlushDaemon compromises network devices such as routers, deploys the EdgeStepper network implant to hijack DNS traffic and redirect legitimate software update requests to attacker-controlled infrastructure, and then delivers the LittleDaemon and DaemonicLogistics downloaders, which install SlowStepper on victim systems. The campaign has included hijacking updates for popular Chinese software such as Sogou Pinyin, and PlushDaemon has also been linked to a supply-chain attack against the South Korean VPN provider IPany that delivered SlowStepper.
SlowStepper is characterized as a feature-rich espionage backdoor with capabilities to gather detailed system information, execute commands, perform extensive file operations, steal local files and documents, collect browser data including cookies and credentials, harvest passwords, capture screenshots, and extract data from messaging applications including WeChat. Reported functionality also includes audio and video capture, Python-based spyware modules, keylogging/keystroke interception, credential collection, and self-uninstallation.
PlushDaemon has been active since at least 2018 and has targeted organizations and individuals in China, Hong Kong, Taiwan, Cambodia, South Korea, New Zealand, and the United States, including universities, electronics and manufacturing companies, and automotive-sector entities. High-confidence indicators and related infrastructure mentioned in the content are primarily associated with the delivery chain rather than SlowStepper itself, including the EdgeStepper-linked domains ds20221202.dsc.wcsset[.]com and test.dsc.wcsset[.]com, and the downloader filename popup_4.2.0.2246.dll used as LittleDaemon.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
If one such software update request is found EdgeStepper will redirect it to PlushDaemon's infrastructure, resulting in the download of a trojanized update. The attacks lead to the deployment of SlowStepper.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
It was first documented by the Slovak cybersecurity company earlier this January, detailing a supply chain attack aimed at a South Korean virtual private network (VPN) provider named IPany to target a semiconductor company and an unidentified software development company in South Korea with a feature-rich implant dubbed SlowStepper.
Execution
1 technique
Execution
The SlowStepper malware enables hackers to collect detailed system information, execute extensive file operations, run commands, and use various Python-based spyware tools that can steal data from the browser, intercept keystrokes, and collect credentials.
Credential Access
4 techniques
Credential Access
The SlowStepper malware enables hackers to collect detailed system information, execute extensive file operations, run commands, and use various Python-based spyware tools that can steal data from the browser, intercept keystrokes, and collect credentials.
The SlowStepper malware enables hackers to collect detailed system information, execute extensive file operations, run commands, and use various Python-based spyware tools that can steal data from the browser...
The SlowStepper malware enables hackers to collect detailed system information, execute extensive file operations, run commands, and use various Python-based spyware tools that can steal data from the browser, intercept keystrokes, and collect credentials.
Discovery
2 techniques
Discovery
Collection
6 techniques
Collection
SlowStepper is a feature-rich espionage backdoor with modules for browser data collection, audio/video capture, document theft, and credential harvesting.
The SlowStepper malware enables hackers to collect detailed system information, execute extensive file operations, run commands, and use various Python-based spyware tools that can steal data from the browser, intercept keystrokes, and collect credentials.
SlowStepper is a feature-rich espionage backdoor with modules for browser data collection, audio/video capture, document theft, and credential harvesting.
SlowStepper is a feature-rich espionage backdoor with modules for browser data collection, audio/video capture, document theft, and credential harvesting.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Signature implant/backdoor associated with PlushDaemon supply-chain activity (deployed via trojanized installer).
SlowStepper is a malware payload delivered via adversary-in-the-middle attacks on software updates, following initial compromise by EdgeStepper.
Backdoor deployed on Windows machines as part of the PlushDaemon toolchain.
SlowStepper is a modular backdoor deployed as a final payload, capable of stealing credentials, files, browser cookies, WeChat data, and screenshots from infected systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.