ESET has identified EdgeStepper, a component that diverts updates to controlled infrastructures. PlushDaemon uses it to distribute downloaders and the SlowStepper backdoor. Cyber espionage operations are conducted by compromising network devices and Windows systems
Researchers of ESET, a global leader in the cybersecurity market, have discovered that the China-aligned PlushDaemon threat group is conducting adversary-in-the-middle attacks by leveraging a previously undocumented malicious component targeting network devices (such as routers), which ESET has named EdgeStepper. This component redirects all DNS queries to an external, malicious DNS server, which responds by providing the address of a node dedicated to hijacking updates. In practice, attackers are thus able to redirect software update traffic to infrastructures under their control, with the aim of distributing the LittleDaemon and DaemonicLogistics downloaders on the targeted systems and, ultimately, installing SlowStepper. SlowStepper is a modular backdoor composed of numerous components used for cyberespionage activities. These malicious components allow PlushDaemon to compromise targets globally.
Since 2019, this pro-Chinese group has conducted attacks in the United States, New Zealand, Cambodia, Hong Kong, Taiwan and also in mainland China. The victims include a university in Beijing, a Taiwanese company in the electronics sector, a company in the automotive sector and a branch of a Japanese company active in manufacturing.
In the identified attack scenario, PlushDaemon first compromises a network device to which the victim could connect. The compromise is likely achieved by exploiting a vulnerability in the device's software or by leveraging weak and/or known administrative credentials, thus allowing attackers to install EdgeStepper (and potentially other tools).
"Once active, EdgeStepper begins to redirect DNS queries to a malicious DNS node that checks whether the requested domain is linked to a software update; if so, it responds by providing the IP address of the hijacking node. Alternatively, we have observed servers that act as both a DNS node and a hijacking node: in these cases, the DNS node responds to queries with its own IP address," explains Facundo Muñoz, ESET researcher who discovered and analyzed the attack. “Several popular software in China had their updates hijacked by PlushDaemon via EdgeStepper,” he adds.
PlushDaemon is a China-aligned threat actor active since at least 2018, engaged in espionage operations against individuals and organizations in the Asia-Pacific region and the United States. It uses a custom backdoor that ESET identifies as SlowStepper. In the past, ESET Research has observed this group gain access by exploiting vulnerabilities in web servers and, in 2023, conduct a supply chain attack.
For a more in-depth analysis of PlushDaemon's most recent activity, the article is available "PlushDaemon compromises network devices for adversary-in-the-middle attacks” are WeLiveSecurity.com. ESET Research updates can also be followed on Twitter (today X), BlueSky e Mastodon.






