DaemonicLogistics
DaemonicLogistics is a Windows-stage downloader/dropper used by the China-aligned espionage group PlushDaemon as part of an adversary-in-the-middle software-update hijacking chain. It is delivered after the LittleDaemon downloader, which is pushed via EdgeStepper, a network implant placed on compromised routers and other edge devices that hijacks DNS responses for legitimate software update domains. DaemonicLogistics is described as position-independent code that is decrypted and executed in memory by LittleDaemon. Its primary purpose is to download, deploy, and execute PlushDaemon’s signature backdoor, SlowStepper, on victim Windows systems. Reporting states that it interprets HTTP status codes from the hijacked server as commands to control the download and installation of SlowStepper. One report also states that it checks for the presence of 360tray.exe (360 Total Security) before deploying SlowStepper, and that it may store files in directories named after legitimate software such as Tencent to masquerade as benign. The broader campaign has targeted organizations and individuals in China, Hong Kong, Taiwan, Cambodia, South Korea, New Zealand, and the United States, including universities and manufacturing-related entities, by abusing trusted update mechanisms such as Sogou Pinyin updates.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"We provide an analysis of LittleDaemon and DaemonicLogistics, two downloaders that deploy the group’s signature SlowStepper backdoor on Windows machines."
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Stealth
1 technique
Stealth
Credential Access
1 technique
Credential Access
Collection
1 technique
Collection
Command and Control
1 technique
Command and Control
LittleDaemon establishes communication with the attacker's hijacking node and fetches a second malware dropper named DaemonicLogistics, which is decrypted and executed in memory. In the next stage of the attack, the hackers use DaemonicLogistics to retrieve their signature backdoor, SlowStepper.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Downloader used to deploy the SlowStepper backdoor onto Windows systems.
DaemonicLogistics is a loader that interprets HTTP status codes from attacker infrastructure as commands to download and install the SlowStepper backdoor.
DaemonicLogistics is a downloader executed in memory by LittleDaemon. It communicates with attacker infrastructure to receive commands and download the SlowStepper backdoor or other payloads. It can check for security software and masquerade its payloads as legitimate files.
DaemonicLogistics is a memory-executed dropper used to retrieve and deploy the PlushDaemon group's signature backdoor, SlowStepper.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.