Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

PlushDaemon global espionage campaign

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

PlushDaemon is running a long-lived global espionage campaign that targets organizations across multiple countries, increasing the risk of cross-border compromise and repeated follow-on intrusions. The operation uses hijacked software updates and a malicious DNS node to support adversary-in-the-middle access and payload delivery. Researchers also linked the activity to a May 2024 supply-chain attack against IPany.

Related Happenings

Evasive Panda DNS poisoning MgBot espionage campaign

Campaign
First: 26.12.2025 16:44 Last: 26.12.2025 16:44 Sources 1

About this happening: **Evasive Panda** ran a **highly targeted cyber espionage campaign** that used **DNS poisoning** to deliver **MgBot** to victims in **Türkiye, China, and India**. The operation wa...

Open Happening

LongNosedGoblin cyber-espionage campaign targeting government entities in Southeast Asia and Japan

Campaign
First: 18.12.2025 19:34 Last: 18.12.2025 19:34 Sources 1

About this happening: A **LongNosedGoblin** campaign is targeting **governmental entities in Southeast Asia and Japan**, creating a sustained risk of **cyber espionage** and **file exfiltration** insid...

Open Happening

UDPGangster backdoor deployed by MuddyWater

Malware Activity
First: 08.12.2025 08:46 Last: 08.12.2025 08:46 Sources 1

About this happening: The **MuddyWater** group has deployed **UDPGangster**, a new backdoor that uses **UDP C2** to control compromised systems and expand post-compromise access. The malware can **exec...

Open Happening

MuddyWater phishing campaign targeting Israeli entities with MuddyViper

Campaign
First: 02.12.2025 15:37 Last: 02.12.2025 15:37 Sources 1

About this happening: A **MuddyWater** phishing campaign is targeting **Israeli academia, government, industry, transport, and utilities**, and the operation matters because it is delivering the **Mudd...

Open Happening

APT24 BadAudio multi-delivery espionage campaign

Campaign
First: 21.11.2025 00:12 Last: 21.11.2025 00:12 Sources 1

About this happening: **APT24** is running a **three-year espionage campaign** with **BadAudio** that has expanded into multiple delivery methods, increasing the operation's reach and stealth. Since **...

Open Happening

Timeline

  1. 19.11.2025 14:00 2 articles · 6mo ago

    PlushDaemon deploys undocumented AitM implant

    Initial Disclosure

    PlushDaemon’s espionage activity is publicly described as using an undocumented adversary-in-the-middle implant, bioset / dns_cheat_v2, that forwards DNS traffic from targeted networks to a malicious DNS node, enabling software-update hijacking and delivery of the LittleDaemon and DaemonLogistics backdoor toolkit. Researchers also linked the group to a May 2024 supply-chain attack on IPany and described broader targeting of organizations in Cambodia, South Korea, New Zealand, the US, Taiwan, Hong Kong, and China since at least 2018.

    Show sources
    Open in new tab