Threat Intelligence can save money, and it doesn’t need to be hard to understand.

Even people living thousands of years ago understood that “knowledge is power”, and amidst the digital era’s rapid developments in technology, including both cyber threats and cyber defense, this ancient wisdom applies more than ever.

A poignant  example, recent ESET research about the newly discovered China-aligned APT group PlushDaemon presented by ESET Malware Researcher Facundo Muñoz at JSAC 2025 conference. This research demonstrates how various users who were seeking protection in the form of a legitimate South-Korean VPN service but, alas, what they attempted to install was in fact trojanized VPN software that delivered spyware.

ESET endpoint protection stopped the malware, but for those who additionally field ESET Threat intelligence and its diversity of feeds, an even more powerful tool lays at their disposal – knowledge. Knowledge about the new threat, the compromised but legitimate URL, and Indicators of compromise (IoC). Using this knowledge, they could readily avoid the threat and check their defenses against the documented PlushDaemon tools.

In May 2024, ESET researchers noticed detections of malicious code in an NSIS installer for Windows that users from South Korea had downloaded from the website of a legitimate South Korean VPN company. This installer deployed both the legitimate software and the malicious implant that ESET researchers named SlowStepper.

Another attack vector for PlushDaemon is to intercept network traffic, hijack update protocols, redirect traffic to attacker-controlled servers, and deliver its SlowStepper implant.

However, SlowStepper is a backdoor that attempts to establish communication with a C&C server to receive further instructions. Once communication is established, SlowStepper can process multiple commands such as:

• Collecting information from the compromised machine such as computer name, list of running processes, list of installed applications, whether cameras or microphones are connected, and more.
• Executing a Python module from its toolkit; the output and any files created by the module are sent to the server.
• Deleting the specified file.
• Process various commands such as creating a complete report about the specified file or deleting the specified file, directory, or all files in a directory.
• Uninstalls SlowStepper by removing its persistence mechanism and removing its files.

Going through the list of SlowStepper’s capabilities, it becomes clear that supply-chain attacks pose significant risks to businesses including financial losses due to system downtime, lost revenue, remediation costs, and reputational damage.

These attacks can also lead to data breaches and consequences can be ruinous. The average cost of a data breach jumped to USD 4.88 million from USD 4.45 million in 2023, according to IBM’s Cost of a Data Breach Report 2024. In fact, third-party breaches including supply chain breaches are among the top 3 factors that amplified breach costs.

On top of that, supply-chain attacks are not rare. Verizon’s 2024 Data Breach Investigations Report (DBIR) saw a 68% year-over-year growth in supply-chain attacks.

Yet, these attacks are only a fraction of cyber threats out there. See this list of most frequent attack vectors, according to IBM’s report:

• Stolen or compromised credentials – 16 %
• Phishing – 15 %
• Cloud misconfiguration – 12%
• Unknown zero-day vulnerability – 11 %
• Business Email Compromise – 10 %
• Malicious insider – 7 %

Seeing these increasingly sophisticated attacks and how businesses are growing concerned about their cybersecurity, there is no surprise that the global threat intelligence market is projected to grow from USD 5.80 billion in 2024 to USD 24.05 billion by 2032.

IBM’s report calculated that a threat intelligence solution decreases average data breach cost by more than USD 240,000.

At the ESET WORLD 2024 conference, Tope Olufon, senior analyst at Forrester, a leading global market research company, stressed the importance of threat intelligence claiming that organizations need to understand the threat landscape and be prepared for upcoming threats.

However, organizations should also be smart about how they use the provided information – threat intelligence is not about counting detected samples but putting them into context and identifying the right stakeholders, according to Mr. Olufon.

Thanks to ESET LiveGrid technology, there are more than 110 million endpoints acting as sensors detecting malware. Combine this data with knowledge of ESET award-wining researchers, and you get a powerful tool that keeps users informed about the current threat landscape, adversaries, malicious programs and their properties, the servers used to propagate them, and even the URLs and domains which spread them.

A threat intelligence feed is an ongoing stream of data related to potential or current threats to an organization’s security that can be easily integrated to SIEM and TIP platforms. Instead of receiving a large amount of non-curated data, ESET shares a curated feed that features top-notch categorization and is pre-filtered for customers to use according to their preferences. Filtering is done by ESET researchers, who understand the internal data intimately.

Such filtering has multiple advantages for users. ESET feeds may be smaller in quantity, but all of the data are relevant and come with a very low rate of false positives. They also come with a significant amount of additional contextual data.

APT Reports provide contextual information about various adversaries, the latest APTs, technical analysis of threats, and activity summaries of the threat landscape. If a new threat is spreading quickly, ESET sends activity alert reports. Users can secure access to both human-readable reports and machine-readable Indicators of Compromise (IoCs).

If you are interested in ESET research blogs like PlushDaemon, or publicly available ESET APT Activity Reports and Threat Reports, bear in mind that these are just the tip of the iceberg of what you can see in documents received from ESET Threat Intelligence.

Now ESET has updated its Threat Intelligence service which consists of 15 feeds and has restructured the ESET APT reports into 3 tiers. Thus, businesses can choose what’s right for them. For example, while a large enterprise can get all the feeds and the highest tier APT report, some other businesses may opt just for a few feeds that are essential to secure their operations.

Users of the ESET Threat Intelligence APT Reports’ Advanced and Ultimate tiers can reduce complexity further with ESET AI Advisor, a specialized AI chatbot designed to provide information about APTs.

Here is the list of feeds:

1. Malicious files feed
2. Domain feed
3. URL feed
4. IP feed
5. Botnet feed with two subfeeds:
   a) Botnet – C&C feed
   b) Botnet – Targets feed
6. APT IoC feed
7. Android infostealer feed
8. Android threats feed
9. Cryptoscam feed
10. Malicious email attachments feed
11. Phishing URL feed
12. Ransomware feed
13. Scam URL feed
14. Smishing feed
15. SMS scam feed

As the world of cybercrime evolves rapidly, new threats are more sophisticated and agile, having access to intelligence about the threat landscape becomes a necessity. ESET Threat Intelligence and its data feeds can set businesses’ minds at ease knowing that they regularly receive the latest information about specific dangers.

What’s more, ESET works tirelessly to make this service as simple-to-use as possible. With APT reports enhanced by AI, curated intelligence feeds, filtering, and seamless integration, businesses can have the current threat landscape for breakfast.