LittleDaemon
LittleDaemon is a custom Windows downloader used by the China-aligned espionage group PlushDaemon as the first stage in a hijacked software-update infection chain. ESET reporting states it is delivered through adversary-in-the-middle attacks enabled by the group’s EdgeStepper network implant, which redirects DNS queries for legitimate software update domains to attacker-controlled infrastructure. The malware has been observed in both DLL and executable 32-bit PE forms and is commonly disguised as a DLL, including as popup_4.2.0.2246.dll. Its primary function is to communicate with the attacker-controlled hijacking node and, if the group’s SlowStepper backdoor is not already present or running on the victim system, fetch the next-stage downloader DaemonicLogistics, which then leads to deployment of SlowStepper on Windows machines. The campaign has included hijacking updates for popular Chinese software such as Sogou Pinyin. LittleDaemon itself does not establish persistence. Reported targeting associated with PlushDaemon includes organizations and individuals in China, Hong Kong, Taiwan, Cambodia, New Zealand, South Korea, and the United States, including universities and manufacturing-related entities. High-confidence indicators directly mentioned in the content include the masqueraded filename popup_4.2.0.2246.dll and its role in the EdgeStepper -> LittleDaemon -> DaemonicLogistics -> SlowStepper infection chain.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“…PlushDaemon that leveraged the same technique to distribute a custom downloader called LittleDaemon.”
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
1 technique
Execution
Stealth
3 techniques
Stealth
The payload chain typically begins with LittleDaemon, a downloader posing as a DLL...
Credential Access
1 technique
Credential Access
Collection
1 technique
Collection
Command and Control
1 technique
Command and Control
A first-stage deployed through hijacked updates, LittleDaemon is designed to communicate with the attacker node to fetch a downloader referred to as DaemonicLogistics if SlowStepper is not running on the infected system. The main purpose of DaemonicLogistics is to download the SlowStepper backdoor from the server and execute it.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Downloader used to deploy the SlowStepper backdoor onto Windows systems.
LittleDaemon is a downloader component, masquerading as a DLL, used to check for and fetch additional payloads in the attack chain initiated by EdgeStepper.
LittleDaemon is a downloader delivered via hijacked software updates. It checks for the presence of the SlowStepper backdoor and, if not present, downloads and executes DaemonicLogistics, which is responsible for deploying the main backdoor. LittleDaemon does not establish persistence and can remove itself after execution.
LittleDaemon is a Windows-based first-stage downloader, disguised as a DLL, that communicates with attacker infrastructure to fetch and execute additional payloads.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.