SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.little_daemon (Back to overview)

LittleDaemon

Actor(s): PlushDaemon

According to ESET Research, LittleDaemon is the first stage deployed on the victim’s machine through hijacked updates. It was observed in both DLL and executable versions, both of them 32-bit PEs. The main purpose of LittleDaemon is to communicate with the hijacking node to obtain the downloader that we call DaemonicLogistics. LittleDaemon does not establish persistence.

References
2025-11-19ESET ResearchDávid Gábriš, Facundo Muñoz
PlushDaemon compromises network devices for adversary-in-the-middle attacks
EdgeStepper LittleDaemon

There is no Yara-Signature yet.