It’s unsettling how quiet some of these operations run — you blink, and suddenly the most routine part of computing, software updates, becomes the attack vector. That’s essentially what ESET researchers uncovered when they began tracing activity tied to PlushDaemon, a China-aligned threat actor that’s been operating under the radar for several years. Their latest discovery centers on a previously undocumented implant called EdgeStepper, a tool purpose-built to sit inside network devices like routers and manipulate traffic without raising alarms.
EdgeStepper doesn’t go for showy exploits or loud malware behavior. Instead, it performs a subtle adversary-in-the-middle maneuver by intercepting and redirecting DNS traffic. Whenever a machine on a compromised network reaches out for a legitimate software update, EdgeStepper quietly rewires that request to a malicious DNS server under attacker control. That server responds with an IP address of a hijacking node — a server designed to impersonate legitimate infrastructure, deliver tampered updates, and deploy the next stage malware. ESET even observed cases where the DNS server and hijacking node were the same machine, simplifying the operation even further.
Once that traffic rerouting succeeds, PlushDaemon begins dropping tools with almost theatrical naming flair — LittleDaemon, DaemonicLogistics, and eventually the real objective: SlowStepper, a modular espionage backdoor with dozens of components. With it, attackers gain the ability to exfiltrate data, persist for long periods, and remotely control compromised systems.
The broader campaign isn’t new — PlushDaemon appears active since at least 2018 — but the scope is widening. Victims include targets in the United States, Taiwan, Hong Kong, New Zealand, Cambodia, Japan, and even mainland China. The profile of affected organizations ranges from universities and electronics manufacturers to companies in the automotive and industrial sectors. One detail that stands out is that several popular Chinese consumer software products had their update channels hijacked. That’s bold — and very efficient — because users trust updates, apply them automatically, and rarely scrutinize them.
ESET suggests the attackers gain initial access by exploiting unpatched vulnerabilities or weak/default router credentials, which unfortunately remains common enough to make this tactic viable on a global scale. Once in, EdgeStepper starts running, and the domino effect unfolds quietly behind the scenes.
Facundo Muñoz, the researcher who led the analysis, put it plainly: once EdgeStepper is active, every DNS query becomes an opportunity. If the request matches a software update domain, the system gets steered into hostile territory. If not, the traffic passes through untouched — making the whole mechanism almost invisible unless someone goes looking for it.
Cyberespionage operations like this thrive on patience and subtlety. PlushDaemon’s infrastructure, tooling maturity, and evolving tactics — including prior supply-chain attacks and web-server exploits — show a threat actor comfortable with long-term access rather than smash-and-grab hacking.
It’s another reminder that the most dangerous compromises aren’t always the loud ones. Sometimes the attacker is already sitting inside the router, quietly turning routine maintenance into a foothold for persistent surveillance — and no one notices until a researcher somewhere finally connects the dots.
Leave a Reply