#SlowStepper is a feature-rich backdoor with a toolkit of more than 30 components. We analyzed and documented it in a previous blogpost about the compromise of a South Korean VPN service provider. www.welivesecurity.com/en/eset-rese... 4/5

When a network device (e.g., a router) is compromised, EdgeStepper begins to redirect all DNS queries to a malicious DNS node that replies with the IP address of the node that performs update hijacking of popular Chinese software such as Sogou Pinyin Method. 2/5

The targeted sectors include defense, metal engineering, and the UAV sector. The attackers left the keyword “drone” in their payloads, directly suggesting one of their goals. 3/9

Android #ToSpy, the spyware used in the other campaign, masquerades solely as the ToTok app. It is distributed through phishing websites impersonating app distribution platforms, such as the Samsung Galaxy Store. 3/6

The same CVE was recently seen exploited in the wild by other groups (e.g., RomCom), and described by ESET Research in a blogpost - www.welivesecurity.com/en/eset-rese... 2/6

HybridPetya installs a malicious EFI application to the EFI System Partition, which then encrypts the Master File Table file, an essential metadata file with information about all files on the NTFS-formatted partition. 2/8

We performed an internet-wide scan to complement ESET telemetry and identify additional servers affected by this threat: at least 65 servers have been affected by late June 2025, mostly in Brazil, Thailand, and Vietnam. 2/6

Rungan is a passive C++ backdoor capable of executing commands on the compromised server. 4/6

This vulnerability was also exploited by another threat actor, independently discovered by the Russian cybersecurity company BI.ZONE, who claim Paper Werewolf began using CVE-2025-8088 on July 22, just a few days after RomCom did. 6/7
bi.zone/expertise/bl...