PlushDaemon dns_cheat_v2 AitM implant
Malware Activity
Summary
Hide ▲
Show ▼
PlushDaemon is now known to operate dns_cheat_v2, an undocumented AitM implant that can reroute DNS traffic and help deliver malicious software updates into targeted networks. The tool increases the risk of update hijacking and follow-on espionage by steering victims to a malicious DNS node. Researchers tied the implant to 2024 activity and linked it to the group’s update-abuse tradecraft.
Related Happenings
BeardShell and Covenant custom implant deployment
Malware Activity
First: 10.03.2026 12:00
Last: 10.03.2026 12:00
Sources 1
About this happening:
**APT28** is deploying **customized Covenant** and **BeardShell** implants to sustain espionage against **Ukrainian government and military targets**, strengthening stealth and pe...
BeardShell and Covenant custom implant deployment
Malware ActivityAbout this happening: **APT28** is deploying **customized Covenant** and **BeardShell** implants to sustain espionage against **Ukrainian government and military targets**, strengthening stealth and pe...
Evasive Panda DNS poisoning MgBot espionage campaign
Campaign
First: 26.12.2025 16:44
Last: 26.12.2025 16:44
Sources 1
About this happening:
**Evasive Panda** ran a **highly targeted cyber espionage campaign** that used **DNS poisoning** to deliver **MgBot** to victims in **Türkiye, China, and India**. The operation wa...
Evasive Panda DNS poisoning MgBot espionage campaign
CampaignAbout this happening: **Evasive Panda** ran a **highly targeted cyber espionage campaign** that used **DNS poisoning** to deliver **MgBot** to victims in **Türkiye, China, and India**. The operation wa...
APT24 BadAudio multi-delivery espionage campaign
Campaign
First: 21.11.2025 00:12
Last: 21.11.2025 00:12
Sources 1
About this happening:
**APT24** is running a **three-year espionage campaign** with **BadAudio** that has expanded into multiple delivery methods, increasing the operation's reach and stealth. Since **...
APT24 BadAudio multi-delivery espionage campaign
CampaignAbout this happening: **APT24** is running a **three-year espionage campaign** with **BadAudio** that has expanded into multiple delivery methods, increasing the operation's reach and stealth. Since **...
PlushDaemon global espionage campaign
Campaign
First: 19.11.2025 14:00
Last: 19.11.2025 14:00
Sources 1
How related:
The group, PlushDaemon, has been active since at least 2018 and has targeted organizations in Cambodia, South Korea, New Zealand, the US, Taiwan and even Hong Kong and China.
About this happening:
**PlushDaemon** is running a long-lived **global espionage campaign** that targets organizations across **multiple countries**, increasing the risk of cross-border compromise and...
PlushDaemon global espionage campaign
CampaignHow related: The group, PlushDaemon, has been active since at least 2018 and has targeted organizations in Cambodia, South Korea, New Zealand, the US, Taiwan and even Hong Kong and China.
About this happening: **PlushDaemon** is running a long-lived **global espionage campaign** that targets organizations across **multiple countries**, increasing the risk of cross-border compromise and...
PlushDaemon software update hijacking campaign
Campaign
First: 19.11.2025 12:00
Last: 19.11.2025 12:00
Sources 1
About this happening:
**PlushDaemon** is actively **hijacking software update traffic** in a **cyberespionage campaign**, expanding the risk of supply-chain style access across **multiple countries**....
PlushDaemon software update hijacking campaign
CampaignAbout this happening: **PlushDaemon** is actively **hijacking software update traffic** in a **cyberespionage campaign**, expanding the risk of supply-chain style access across **multiple countries**....
Timeline
-
19.11.2025 14:00 2 articles · 6mo ago
PlushDaemon dns_cheat_v2 AitM implant
Initial DisclosureResearchers first identified an **ELF file** called **bioset** with PlushDaemon infrastructure links in **2024**. Analysis showed it was the previously undocumented **dns_cheat_v2** implant used for **AitM DNS forwarding**.
Show sources
- PlushDaemon Hackers Unleash New Malware in China-Aligned Spy Campaigns — www.infosecurity-magazine.com — 19.11.2025 14:00
- PlushDaemon Hackers Unleash New Malware in China-Aligned Spy Campaigns — www.infosecurity-magazine.com — 19.11.2025 14:00