🇨🇳PlushDaemon
🇨🇳 PlushDaemon is a tracked threat actor in the Clankerusecase corpus. Attributed to CN. Primary motivation: State. We map 14 detection use cases to this actor across 65 MITRE ATT&CK techniques, with 3 threat-intel articles citing them. Active in our corpus from 2025-11-06 to 2025-12-18.
crit 3
14Use cases
3Articles
65Techniques
4IOCs
Known aliases
PlushDaemon
Top techniques
All other tracked techniques
T1016 · System Network Configuration DiscoveryT1021.002 · SMB/Windows Admin SharesT1027 · Obfuscated Files or InformationT1027.009 · Embedded PayloadsT1027.013 · Encrypted/Encoded FileT1027.015 · CompressionT1036.008 · Masquerade File TypeT1053.005 · Scheduled TaskT1055 · Process InjectionT1056.001 · KeyloggingT1057 · Process DiscoveryT1059.003 · Windows Command ShellT1059.005 · Visual BasicT1070.004 · File DeletionT1071 · Application Layer ProtocolT1071.001 · Web ProtocolsT1071.004 · DNST1074.001 · Local Data StagingT1082 · System Information DiscoveryT1083 · File and Directory DiscoveryT1098.001 · Additional Cloud CredentialsT1102.002 · Bidirectional CommunicationT1105 · Ingress Tool TransferT1106 · Native APIT1125 · Video CaptureT1195.002 · Compromise Software Supply ChainT1203 · Exploitation for Client ExecutionT1204.001 · Malicious LinkT1204.002 · Malicious FileT1204.004 · Malicious Copy and PasteT1217 · Browser Information DiscoveryT1218 · System Binary Proxy ExecutionT1219 · Remote Access ToolsT1480 · Execution GuardrailsT1518.001 · Security Software DiscoveryT1528 · Steal Application Access TokenT1547.001 · Registry Run Keys / Startup FolderT1555.003 · Credentials from Web BrowsersT1560 · Archive Collected DataT1562.001 · T1562.001T1564.003 · Hidden WindowT1566 · PhishingT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1567.002 · Exfiltration to Cloud StorageT1568.002 · Domain Generation AlgorithmsT1569.002 · Service ExecutionT1573 · Encrypted ChannelT1573.001 · Symmetric CryptographyT1573.002 · Asymmetric CryptographyT1574.002 · T1574.002T1574.014 · AppDomainManagerT1583.001 · DomainsT1583.002 · DNS ServerT1583.004 · ServerT1585.003 · Cloud AccountsT1588.001 · MalwareT1608.001 · Upload MalwareT1620 · Reflective Code LoadingT1622 · Debugger EvasionT1659 · Content InjectionT1665 · Hide Infrastructure
Detection use cases (14)
PlushDaemon SlowStepper sideload chain — signed-binary loader pulling stagers from gitee/GitHub PlushDaemon hijacked-installer persistence — supply-chain dropper writing to %PROGRAMDATA%\Apex with scheduled-task/Run-key persistence NosyDoor AppDomainManager hijack: UevAppMonitor.exe executing from non-standard path NosyDoor persistence: scheduled task 'OneDrive Reporting Task-S-1-5-21-' under Microsoft folder NosyDoor dropper file artefacts in C:\Windows\Microsoft.NET\Framework Beaconing — periodic outbound to small set of destinations Remote service execution — PsExec / SMB lateral movement OAuth consent / suspicious app grant Scheduled task created with suspicious image / encoded args PowerShell encoded / obfuscated command RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard Article-specific behavioural hunt — LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Ja PlushDaemon EdgeStepper hijacking infrastructure (wcsset.com / 47.242.198.250 / 8.212.132.120) contact LittleDaemon / DaemonicLogistics update-hijack URL pattern (popup_4.2.0.2246.dll, /update/updateInfo.bzp, /update/file6.bdat, /update/file2.Threat-intel articles (3)
crit LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan · 2025-12-18
crit ESET APT Activity Report Q2 2025–Q3 2025 · 2025-11-06
Tracked indicators
Domains (2)
ds20221202.dsc.wcsset.co test.dsc.wcsset.comIP addresses (2)
119.136.153.0 47.242.198.250CVEs (2)
CVE-2024-42009 CVE-2025-8088