PlushDaemon, a China-linked APT group, has been deploying a previously undocumented network implant dubbed EdgeStepper to hijack DNS traffic on compromised network devices.
According to findings disclosed by ESET researchers, the hijacked traffic is then redirected to attacker-controlled infrastructure, enabling the delivery of malicious payloads.
“First, PlushDaemon compromises a network device (for example, a router) to which their target might connect; the compromise is probably achieved by exploiting a vulnerability in the software running on the device or through weak and/or well-known default administrative credentials, enabling the attackers to deploy EdgeStepper,” ESET researchers said in a blog post, adding that the implant then re-routes traffic from legitimate infrastructure used for software updates.
The ultimate goal of this new tooling is to utilize trusted update mechanisms to install the group’s signature backdoor, SlowStepper, on Windows machines, turning legitimate-looking software updates into espionage drop points.
According to ESET’s telemetry, PlushDaemon has operated since at least 2018, targeting organizations across the US, Taiwan, Hong Kong, and New Zealand.
EdgeStepper hijacks network gear to enable AitM
PlushDaemon’s first move is not to poison a target’s laptop, but to compromise the infrastructure around it. ESET found that the implant EdgeStepper (internally referred to as “dns-cheat-v2”) is compiled for MIPS32 and built in Go using the GoFrame framework, for targeting network devices such as routers.
Once installed, EdgeStepper configures “iptables” rules on the device to redirect all UDP traffic on port 53 (DNS) to a local proxy (port 1090 by default), which forwards the queries to a malicious DNS node.
The Adversary-in-the-Middle (AitM) attack proceeds with the proxy detecting a DNS query for a domain associated with software updates. When such queries come, it responds with the IP of the attacker-controlled server instead of the legitimate one. That means a subsequent update request meant for the legitimate vendor is routed to the attacker’s infrastructure without the user realizing.
This technique effectively shifts the threat from endpoints to the network layer, compromising the infrastructure through which trusted updates flow. Researchers warn organizations to monitor unusual DNS redirection patterns and validate update-server resolution.
Hijacked update to backdoor deployment
With the network device serving as a stealthy redirect, PlushDaemon then exploits the hijacked update channel to gain access to end-systems. ESET observed how typical victim software (such as a Chinese input-method application) issues an HTTP GET to its update server, but because DNS was hijacked, the request lands at attacker-controlled infrastructure.
The payload chain typically begins with LittleDaemon, a downloader posing as a DLL, which checks for the presence of the final payload. If absent, it fetches another component, DaemonicLogistics. That tool then interprets HTTP status codes from the hijacked server as commands to download and install the signature backdoor SlowStepper on the target machines.
SlowStepper is a feature-rich espionage backdoor with modules for browser data collection, audio/video capture, document theft, and credential harvesting. PlushDaemon’s move to weaponize network plumbing reflects adversaries shifting away from blunt endpoint strikes toward quieter, trust-abuse techniques. Earlier this year, a China-linked campaign was found implanting backdoors on Juniper routers, showing attackers’ willingness to live on the network kit itself rather than only on PCs.
No Responses