×
ItalianoEnglish
Set as default language

Grandangolo Communications

  • Home
  • Company
  • Services
    • Public Relation
    • Digital PR
    • Marketing
    • Lead Generation
    • Events
  • Best Practice
  • Customer Press Room
  • Contacts
  • Languages
  • Home
  • Customer Press Room
  • Eset
  • ESET Research: Chinese group PlushDaemon compromises network devices to conduct adversary-in-the-middle attacks

Customer Press Room

ESET Research: Chinese group PlushDaemon compromises network devices to conduct adversary-in-the-middle attacks

by Grandangolo Communications / Wednesday, 19 November 2025 / Published in Eset

ESET has identified EdgeStepper, a component that diverts updates to controlled infrastructures. PlushDaemon uses it to distribute downloaders and the SlowStepper backdoor. Cyber ​​espionage operations are conducted by compromising network devices and Windows systems

Researchers of ESET, a global leader in the cybersecurity market, have discovered that the China-aligned PlushDaemon threat group is conducting adversary-in-the-middle attacks by leveraging a previously undocumented malicious component targeting network devices (such as routers), which ESET has named EdgeStepper. This component redirects all DNS queries to an external, malicious DNS server, which responds by providing the address of a node dedicated to hijacking updates. In practice, attackers are thus able to redirect software update traffic to infrastructures under their control, with the aim of distributing the LittleDaemon and DaemonicLogistics downloaders on the targeted systems and, ultimately, installing SlowStepper. SlowStepper is a modular backdoor composed of numerous components used for cyberespionage activities. These malicious components allow PlushDaemon to compromise targets globally.

Since 2019, this pro-Chinese group has conducted attacks in the United States, New Zealand, Cambodia, Hong Kong, Taiwan and also in mainland China. The victims include a university in Beijing, a Taiwanese company in the electronics sector, a company in the automotive sector and a branch of a Japanese company active in manufacturing.

In the identified attack scenario, PlushDaemon first compromises a network device to which the victim could connect. The compromise is likely achieved by exploiting a vulnerability in the device's software or by leveraging weak and/or known administrative credentials, thus allowing attackers to install EdgeStepper (and potentially other tools).

"Once active, EdgeStepper begins to redirect DNS queries to a malicious DNS node that checks whether the requested domain is linked to a software update; if so, it responds by providing the IP address of the hijacking node. Alternatively, we have observed servers that act as both a DNS node and a hijacking node: in these cases, the DNS node responds to queries with its own IP address," explains Facundo Muñoz, ESET researcher who discovered and analyzed the attack. “Several popular software in China had their updates hijacked by PlushDaemon via EdgeStepper,” he adds.

PlushDaemon is a China-aligned threat actor active since at least 2018, engaged in espionage operations against individuals and organizations in the Asia-Pacific region and the United States. It uses a custom backdoor that ESET identifies as SlowStepper. In the past, ESET Research has observed this group gain access by exploiting vulnerabilities in web servers and, in 2023, conduct a supply chain attack.

For a more in-depth analysis of PlushDaemon's most recent activity, the article is available "PlushDaemon compromises network devices for adversary-in-the-middle attacks” are WeLiveSecurity.com. ESET Research updates can also be followed on Twitter (today X), BlueSky e Mastodon.

Tagged under: Eset

About Grandangolo Communications

What you can read next

ESET among the top vendors in the endpoint security market
ESET introduces XDR security solutions dedicated to Managed Service Providers to protect customers' digital journeys
ESET League 2023 kicks off

Customer Press Room

  • Arrow Electronics has been awarded by Equinix as Distributor of the Year 2025 for the EMEA region

    Arrow Electronics, a global supplier of technology...
  • SentinelOne makes the Purple AI Agentic Investigation solution available to all customers, bringing the latest generation AI directly into the SOC

    The investigations, started autonomously and without need...
  • Acronis TRU reveals the ongoing evolution of the INC ransomware group

    A recent report published by Acronis Threat ...
  • ESET Research investigates the Gentlemen ransomware author group and its defense evasion tools

    The Gentlemen Group develops, maintains and supplies...
  • Imprivata presents the Agentic Identity Management solution to protect and govern the access of AI agents

    Imprivata, a leading company in Ac...

Archives

  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025
  • April 2025
  • March 2025
  • February 2025
  • January 2025
  • December 2024
  • November 2024
  • October 2024
  • September 2024
  • August 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
  • February 2024
  • January 2024
  • December 2023
  • November 2023
  • October 2023
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • May 2023
  • April 2023
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018

Categories

  • A10
  • abstract
  • Abstract
  • Acronis
  • Ally Consulting
  • Arrow
  • Arrow Electronics
  • Axiante
  • Babel
  • Computer Center
  • Cohesity
  • Italy Cloud Consortium
  • Consys
  • D-Link
  • Eset
  • G.B. Service
  • Habble
  • HiSolution
  • HYCU
  • Icos
  • Imprivate
  • Information Tecnology
  • Innovaway
  • Ivanti
  • Link11
  • MobileIron
  • Netalia
  • Nethive
  • Nexthink
  • Nuvis
  • Praim
  • QAD
  • Qualys
  • Red Hot Cyber
  • Riverbed
  • Saviynt
  • Sensormatic
  • SentinelOne
  • Talent Software
  • Vectra
  • Vectra AI
  • Vertiv

Office printing, digital PR, marketing, lead generation: all projects are born from our passion and expertise, with an inevitable touch of creativity and innovation.

COMPANY

Grandangolo Communications Srl
Via Sardegna 19
20146 Milano
Telephone +39 335 8283393
info@grandangolo.it

I SERVIZI

  • Home
  • Company
  • Services
  • Best Practice
  • Customer Press Room
  • Contacts
  • Languages

CONTACTS

  • Contacts
  • Cookie policy
  • Privacy policy

© 2019 GRANDANGOLO COMMUNICATIONS SRL | P.IVA IT 06394850967 | All rights reserveD.

Powered by Webpowerplus

TOP