Overview
- Researchers say the implant intercepts DNS on hacked edge devices and directs software-update requests to attacker-controlled nodes.
- Access to routers was obtained via known vulnerabilities or weak administrative credentials before the tool was deployed.
- Hijacked update channels deliver LittleDaemon and DaemonicLogistics, which then fetch and execute the SlowStepper backdoor with extensive data-theft capabilities.
- ESET identifies victims across the United States, New Zealand, Cambodia, Hong Kong, Taiwan, South Korea, and mainland China, targeting universities and manufacturers including automotive firms.
- Technical analysis describes Distributor and Ruler modules and documents hijacks of popular software such as Sogou Pinyin, with indicators released to support defensive hunting.