{"id":5882,"date":"2025-11-20T12:08:56","date_gmt":"2025-11-20T12:08:56","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5882"},"modified":"2025-11-20T12:08:56","modified_gmt":"2025-11-20T12:08:56","slug":"china%e2%80%91linked-plushdaemon-hijacks-dns-via-edgestepper-to-weaponize-software-updates","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5882","title":{"rendered":"China\u2011linked PlushDaemon hijacks DNS via \u2018EdgeStepper\u2019 to weaponize software updates"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>PlushDaemon, a China-linked APT group, has been deploying a previously undocumented network implant dubbed EdgeStepper to hijack DNS traffic on compromised network devices.<\/p>\n<p>According to findings disclosed by ESET researchers, the hijacked traffic is then redirected to attacker-controlled infrastructure, enabling the delivery of malicious payloads.<\/p>\n<p>\u201cFirst, PlushDaemon compromises a network device (for example, a router) to which their target might connect; the compromise is probably achieved by exploiting a vulnerability in the software running on the device or through weak and\/or well-known default administrative credentials, enabling the attackers to deploy EdgeStepper,\u201d ESET researchers said in a blog post, adding that the implant then re-routes traffic from legitimate infrastructure used for software updates.<\/p>\n<p>The ultimate goal of this new tooling is to utilize trusted update mechanisms to install the group\u2019s signature backdoor, SlowStepper, on Windows machines, turning legitimate-looking software updates into espionage drop points.<\/p>\n<p>According to ESET\u2019s telemetry, PlushDaemon has operated since at least 2018, targeting organizations across the US, Taiwan, Hong Kong, and New Zealand.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>EdgeStepper hijacks network gear to enable AitM<\/h2>\n<p>PlushDaemon\u2019s first move is not to poison a target\u2019s laptop, but to compromise the infrastructure around it. ESET <a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks\/\" target=\"_blank\" rel=\"noopener\">found<\/a> that the implant EdgeStepper (internally referred to as \u201cdns-cheat-v2\u201d)\u00a0 is compiled for MIPS32 and built in Go using the GoFrame framework, for targeting network devices such as routers.<\/p>\n<p>Once installed, EdgeStepper configures \u201ciptables\u201d rules on the device to redirect all <a href=\"https:\/\/www.csoonline.com\/article\/2071104\/udp-based-network-communications-face-critical-denial-of-service-attacks.html\">UDP<\/a> traffic on port 53 (DNS) to a local proxy (port 1090 by default), which forwards the queries to a malicious DNS node.<\/p>\n<p>The Adversary-in-the-Middle (<a href=\"https:\/\/www.csoonline.com\/article\/4040128\/fido-undermined.html\">AitM<\/a>) attack proceeds with the proxy detecting a DNS query for a domain associated with software updates. When such queries come, it responds with the IP of the attacker-controlled server instead of the legitimate one. That means a subsequent update request meant for the legitimate vendor is routed to the attacker\u2019s infrastructure without the user realizing.<\/p>\n<p>This technique effectively shifts the threat from endpoints to the network layer, compromising the infrastructure through which trusted updates flow. Researchers warn organizations to monitor unusual DNS redirection patterns and validate update-server resolution.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Hijacked update to backdoor deployment<\/h2>\n<p>With the network device serving as a stealthy redirect, PlushDaemon then exploits the hijacked update channel to gain access to end-systems. ESET observed how typical victim software (such as a Chinese input-method application) issues an HTTP GET to its update server, but because DNS was hijacked, the request lands at attacker-controlled infrastructure.<\/p>\n<p>The payload chain typically begins with LittleDaemon, a downloader posing as a DLL, which checks for the presence of the final payload. If absent, it fetches another component, DaemonicLogistics. That tool then interprets HTTP status codes from the hijacked server as commands to download and install the signature backdoor SlowStepper on the target machines.<\/p>\n<p>SlowStepper is a feature-rich espionage backdoor with modules for browser data collection, audio\/video capture, document theft, and credential harvesting. PlushDaemon\u2019s move to weaponize network plumbing reflects adversaries shifting away from blunt endpoint strikes toward quieter, trust-abuse techniques. Earlier this year, a China-linked <a href=\"https:\/\/www.csoonline.com\/article\/3844122\/chinese-cyberespionage-group-deploys-custom-backdoors-on-juniper-routers.html\">campaign<\/a> was found implanting backdoors on Juniper routers, showing attackers\u2019 willingness to live on the network kit itself rather than only on PCs.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>PlushDaemon, a China-linked APT group, has been deploying a previously undocumented network implant dubbed EdgeStepper to hijack DNS traffic on compromised network devices. According to findings disclosed by ESET researchers, the hijacked traffic is then redirected to attacker-controlled infrastructure, enabling the delivery of malicious payloads. \u201cFirst, PlushDaemon compromises a network device (for example, a router) [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5883,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5882","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5882"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5882"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5882\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5883"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5882"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5882"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5882"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}