PlushDaemon' Hackers Hijack Software Updates in Supply-Chain Attacks
Summary:
ESET researchers uncovered how the China-aligned PlushDaemon threat actor conducts adversary-in-the-middle attacks by hijacking legitimate software update traffic using a previously undocumented network implant called EdgeStepper. This implant redirects all DNS queries from compromised routers or network devices to an attacker-controlled DNS node, enabling malicious redirection of update requests from applications such as Sogou Pinyin. Once traffic is rerouted, the hijacking node instructs the software to download LittleDaemon, which then retrieves and executes DaemonicLogistics, a downloader responsible for deploying PlushDaemon’s custom SlowStepper backdoor. PlushDaemon has been active since at least 2018 and has targeted victims across China, Taiwan, Hong Kong, Cambodia, South Korea, the U.S., and New Zealand. The group has used update hijacking, web-server vulnerabilities, and supply-chain compromises to deliver its malware. EdgeStepper is written in Go, deployed on MIPS-based devices, and manipulates iptables to redirect DNS traffic, while LittleDaemon and DaemonicLogistics handle staged delivery of SlowStepper on Windows systems.
Security Officer Comments:
PlushDaemon’s operations illustrate a highly strategic focus on network-layer manipulation, where compromising routers gives the actor an upstream vantage point to silently hijack update channels. This approach reduces reliance on phishing or endpoint exploitation and allows the threat actor to weaponize trusted software ecosystems. The DNS-redirection technique is especially concerning because it enables stealthy, infrastructure-agnostic compromise: any software using HTTP-based update checks becomes a viable vector. The group’s tooling is purpose-built, modular, and capable of blending malicious payloads into legitimate update workflows, making detection difficult without strong network integrity verification.
Suggested Corrections:
Defenders should enforce DNS integrity protections, including DNSSEC validation, encrypted DNS (DoT/DoH) where appropriate, and monitoring for unauthorized DNS redirection or iptables manipulation on routers and IoT devices. Organizations should harden network appliances by changing default credentials, applying firmware updates quickly, and restricting administrative interfaces from the internet. Implement update-verification controls such as HTTPS-only update endpoints, certificate pinning, and checksum validation to prevent tampering with software distribution channels. Endpoint defenses should monitor for unusual outbound requests to update URLs, unexpected DLL downloads, or unsigned binaries masquerading as update components. Network monitoring should include alerting on changes to port-53 flows or unusual DNS response patterns. Finally, organizations should segment or replace outdated MIPS-based devices that cannot support modern security controls, as these remain ideal footholds for implants like EdgeStepper.
Link(s):
https://www.bleepingcomputer.com/ne...ack-software-updates-in-supply-chain-attacks/
ESET researchers uncovered how the China-aligned PlushDaemon threat actor conducts adversary-in-the-middle attacks by hijacking legitimate software update traffic using a previously undocumented network implant called EdgeStepper. This implant redirects all DNS queries from compromised routers or network devices to an attacker-controlled DNS node, enabling malicious redirection of update requests from applications such as Sogou Pinyin. Once traffic is rerouted, the hijacking node instructs the software to download LittleDaemon, which then retrieves and executes DaemonicLogistics, a downloader responsible for deploying PlushDaemon’s custom SlowStepper backdoor. PlushDaemon has been active since at least 2018 and has targeted victims across China, Taiwan, Hong Kong, Cambodia, South Korea, the U.S., and New Zealand. The group has used update hijacking, web-server vulnerabilities, and supply-chain compromises to deliver its malware. EdgeStepper is written in Go, deployed on MIPS-based devices, and manipulates iptables to redirect DNS traffic, while LittleDaemon and DaemonicLogistics handle staged delivery of SlowStepper on Windows systems.
Security Officer Comments:
PlushDaemon’s operations illustrate a highly strategic focus on network-layer manipulation, where compromising routers gives the actor an upstream vantage point to silently hijack update channels. This approach reduces reliance on phishing or endpoint exploitation and allows the threat actor to weaponize trusted software ecosystems. The DNS-redirection technique is especially concerning because it enables stealthy, infrastructure-agnostic compromise: any software using HTTP-based update checks becomes a viable vector. The group’s tooling is purpose-built, modular, and capable of blending malicious payloads into legitimate update workflows, making detection difficult without strong network integrity verification.
Suggested Corrections:
Defenders should enforce DNS integrity protections, including DNSSEC validation, encrypted DNS (DoT/DoH) where appropriate, and monitoring for unauthorized DNS redirection or iptables manipulation on routers and IoT devices. Organizations should harden network appliances by changing default credentials, applying firmware updates quickly, and restricting administrative interfaces from the internet. Implement update-verification controls such as HTTPS-only update endpoints, certificate pinning, and checksum validation to prevent tampering with software distribution channels. Endpoint defenses should monitor for unusual outbound requests to update URLs, unexpected DLL downloads, or unsigned binaries masquerading as update components. Network monitoring should include alerting on changes to port-53 flows or unusual DNS response patterns. Finally, organizations should segment or replace outdated MIPS-based devices that cannot support modern security controls, as these remain ideal footholds for implants like EdgeStepper.
Link(s):
https://www.bleepingcomputer.com/ne...ack-software-updates-in-supply-chain-attacks/