ESET Uncovers PlushDaemon’s Global Cyberespionage Operation Using EdgeStepper to Hijack Software-Update Traffic

ESET Uncovers PlushDaemon’s Global Cyberespionage Operation Using EdgeStepper to Hijack Software-Update Traffic

(IN BRIEF) ESET researchers have revealed that the China-aligned cyberespionage group PlushDaemon has been deploying adversary-in-the-middle attacks through a newly identified network-device implant called EdgeStepper, which manipulates DNS traffic to divert legitimate software-update requests to attacker-controlled servers. This redirection enables the distribution of the group’s downloaders, LittleDaemon and DaemonicLogistics, which then install the SlowStepper espionage backdoor on targeted Windows systems. PlushDaemon has been active across multiple regions—including East Asia-Pacific, the United States, and mainland China—compromising organizations in sectors such as academia, electronics manufacturing, and automotive. The operation begins with the compromise of routers or similar devices, achieved through vulnerabilities or weak administrative credentials, after which EdgeStepper selectively hijacks software-update traffic. ESET’s latest research highlights how this technique enabled the group to intercept updates from several well-known Chinese applications, expanding their global reach and reaffirming their capability to conduct long-term intelligence gathering.

(PRESS RELEASE) BRATISLAVA, 19-Nov-2025 — /EuropaWire/ — ESET researchers have uncovered a new phase in the operations of the China-aligned threat group known as PlushDaemon, revealing that the actors have been conducting adversary-in-the-middle attacks through a previously undocumented network-device implant called EdgeStepper. This malicious tool is designed to seize control of DNS traffic by redirecting requests from legitimate software-update channels to attacker-operated servers, effectively enabling PlushDaemon to covertly hijack update mechanisms across multiple systems.

EdgeStepper reroutes DNS queries to a rogue DNS server that responds with the address of an infrastructure node responsible for intercepting and replacing legitimate update traffic. Through this setup, the attackers deploy their downloaders — LittleDaemon and DaemonicLogistics — onto targeted Windows machines. These downloaders ultimately deliver SlowStepper, a modular espionage backdoor with dozens of components, giving PlushDaemon the capability to infiltrate and monitor systems around the world. ESET confirmed that update mechanisms for several widely used Chinese software applications were manipulated during these operations.

Active since at least 2018, PlushDaemon has conducted cyberespionage campaigns across regions including the United States, Taiwan, Hong Kong, Cambodia, New Zealand, and mainland China. Victims have included an academic institution in Beijing, a Taiwanese electronics manufacturer, a company in the automotive sector, and the regional operations of a Japanese manufacturing enterprise.

According to ESET’s analysis, the attack begins with PlushDaemon compromising a network device—typically a router or similar hardware—that their intended victims are likely to use. This initial access may be achieved through software vulnerabilities or the use of weak or default administrative passwords, giving the attackers the opportunity to deploy EdgeStepper or additional malicious tools.

Once installed, EdgeStepper immediately starts redirecting DNS requests. As ESET researcher Facundo Muñoz explains, the malicious DNS node checks whether the requested domain relates to software updates, and if so, responds with the IP address of the hijacking node. In some cases, servers perform the dual role of DNS node and hijacking server, simply replying with their own address. “Several popular Chinese software products had their updates hijacked by PlushDaemon via EdgeStepper,” Muñoz notes.

PlushDaemon has historically relied on custom tooling, with SlowStepper serving as its hallmark backdoor. The group has been observed exploiting web-server vulnerabilities and even carrying out a supply-chain attack in 2023.

Readers can explore ESET’s in-depth technical analysis in the newly published WeLiveSecurity blogpost, PlushDaemon compromises network devices for adversary-in-the-middle attacks. ESET Research continues to share updates through X (formerly Twitter), BlueSky, and Mastodon.

Geographical distribution of PlushDaemon’s victims since 2019