The PlushDaemon threat actor continues to expand its capabilities through advanced adversary in the middle techniques that manipulate software update channels to deliver custom espionage malware. PlushDaemon is a China aligned group active since at least 2018 and responsible for intrusions across the United States, Taiwan, Hong Kong, Cambodia, New Zealand, and mainland China. The group maintains a reputation for stealthy and persistent access through network device compromise, DNS hijacking, update manipulation, and multi stage malware deployments that target individuals, universities, manufacturers, and technology organizations.
According to new research from ESET, PlushDaemon has been operating a previously undocumented network implant that allows the group to hijack DNS queries, intercept legitimate software update requests, and redirect those requests to attacker controlled infrastructure. This abuse gives PlushDaemon the ability to deliver trojanized update components that lead to the installation of its signature backdoor known as SlowStepper. The group has maintained a consistent focus on supply chain and update channel attacks, enabling them to compromise victims without relying on traditional phishing or user interaction.
Background on PlushDaemon Activity
PlushDaemon has been associated with targeted cyber espionage since at least 2018. The group focuses on the theft of sensitive data, intellectual property, internal communications, credentials, and system information from organizations involved in research, technology development, manufacturing, and public sector operations. Over the years, PlushDaemon has compromised universities in Beijing, technology organizations in Taiwan, a Japanese automotive manufacturer operating in Cambodia, and victims in the United States and New Zealand.
Unlike many espionage groups that rely heavily on spear phishing, PlushDaemon frequently compromises network devices such as routers and small office equipment to gain persistent access. These devices allow the group to position themselves in the middle of a victim’s traffic and observe or manipulate data flowing between endpoints and legitimate update servers. For several years PlushDaemon has deployed different strains of custom malware including SlowStepper, DaemonicLogistics, and LittleDaemon. These implants form a multi stage toolset that enables persistence, command execution, data exfiltration, and credential theft.
The EdgeStepper Implant and DNS Hijacking
ESET researchers identified a new network implant used by PlushDaemon that they named EdgeStepper. The implant is designed to intercept DNS traffic at the router or gateway level and redirect requests to attacker controlled DNS nodes. The DNS nodes respond to queries for update related domains with malicious IP addresses that point victims toward hijacking servers instead of legitimate infrastructure.
EdgeStepper is written in Go and compiled as an ELF binary for MIPS32 devices commonly used in consumer and small enterprise routers. Internally, the implant was named dns_cheat_v2 by its developers, reflecting its purpose as a DNS manipulation tool. The implant extracts and decrypts configuration data using AES CBC with a static key and IV embedded in the GoFrame framework. Configuration fields indicate the port on which EdgeStepper listens and the domain name of the malicious DNS node it must forward queries to.
Once active, the implant modifies iptables rules to redirect all UDP port 53 traffic to another port controlled by the implant. It then forwards DNS queries to the malicious DNS node, retrieves the response, and returns it to the victim device. This allows PlushDaemon to manipulate only specific domains, particularly those related to software updates. For example, DNS queries for Sogou Pinyin update servers have been observed being redirected through PlushDaemon’s infrastructure.
Hijacking Software Updates
The most notable feature of PlushDaemon operations is its ability to hijack software updates by manipulating legitimate traffic. The update mechanism for many Asian language input tools, regional software installers, and widely used products relies on clear text HTTP traffic or simple domain based resolution, making them vulnerable to adversary in the middle interference.
Once EdgeStepper redirects a DNS query for a targeted domain, the victim’s device connects to a malicious server controlled by PlushDaemon. The malicious server then delivers a trojanized DLL file posing as a legitimate update component. This file, often named popup_4.2.0.2246.dll, is in reality the first stage download tool known as LittleDaemon.
LittleDaemon Delivery and Execution
LittleDaemon is the initial Windows stage executed as part of the hijacked update. The implant masquerades as a benign DLL delivered by legitimate update servers. Once executed, LittleDaemon checks whether the SlowStepper backdoor is already running on the system. If not, it communicates with the hijacking server to download the next stage, a downloader and loader component named DaemonicLogistics.
LittleDaemon uses hardcoded HTTP request paths that normally point to legitimate domains used by software vendors. When EdgeStepper is present, these domains resolve to the attacker’s hijacking node, ensuring that the malicious file download occurs seamlessly for the victim.
LittleDaemon does not appear to maintain persistence directly. Instead, it focuses entirely on acquiring and running DaemonicLogistics.
DaemonicLogistics Loader
DaemonicLogistics is a position independent payload executed in memory after being downloaded by LittleDaemon. The tool’s primary objective is to retrieve and deploy the SlowStepper backdoor. DaemonicLogistics communicates with the hijacking server and interprets HTTP status codes as instructions. These status codes direct the implant to download specific payloads, execute commands, or retrieve plugins.
In observed intrusions, DaemonicLogistics sends queries that include metadata such as the operating system version and MAC address of the victim machine. The server responds with commands to download files that are disguised as ZIP archives or GIF images but contain encrypted payloads. The decrypted files are stored in locations that appear to mimic legitimate products, such as the Tencent directory.
The SlowStepper Backdoor
SlowStepper is PlushDaemon’s primary espionage backdoor and has been used in multiple operations over several years. The implant provides extensive capabilities for reconnaissance, file manipulation, command execution, and credential collection. SlowStepper includes Python based tooling that harvests browser data, keystrokes, system metadata, and stored credentials. The implant supports custom modules that can be deployed through its command and control channel.
SlowStepper has historically been delivered through trojanized installers, including malicious versions of South Korean VPN clients. The addition of EdgeStepper in the infection chain enhances PlushDaemon’s ability to compromise victims through automated update checks without requiring user interaction.
Global Distribution of Victims
Telemetry from ESET indicates that PlushDaemon has compromised victims across several regions since 2019 through malicious updates. Victims include organizations and individuals in:
- United States
- Taiwan
- Hong Kong
- China
- New Zealand
- Cambodia
In Cambodia, the group compromised a Japanese automotive manufacturing operation, demonstrating its focus on industrial and technology sectors. The presence of victims in both East Asia and Western regions highlights PlushDaemon’s broad targeting scope and sustained capability to compromise global networks.
Technical Indicators and Infrastructure
A significant portion of PlushDaemon infrastructure is hosted under domains that resolve to cloud based servers with dynamic IP allocations. DNS nodes and hijacking nodes have been observed operating under dsc.wcsset domains. Attack infrastructure is distributed across Alibaba Cloud and other hosting providers.
The group uses multiple server side components to manage DNS redirection, payload hosting, and command channels. Communications rely on standard HTTP traffic, which blends easily with legitimate update requests.
As part of its operation, EdgeStepper retrieves the address of the DNS node by resolving domain names embedded within its configuration. These domains often reside on attacker controlled infrastructure that also serves as hijacking nodes for the delivery of malicious DLL files.
Broader Implications for Network Security
PlushDaemon’s ability to compromise routers and network devices underscores the importance of securing edge equipment. Many routers in homes, small offices, and enterprise environments run outdated firmware, weak passwords, and default administrative settings. These weaknesses provide ideal entry points for attackers who want to position themselves between victims and critical services.
The group’s focus on intercepting software updates also highlights broader concerns about the lack of cryptographic integrity checks in many widely deployed products. Without the enforcement of HTTPS based update delivery, certificate validation, or strong update signing mechanisms, adversaries can exploit DNS manipulation to deliver malicious payloads that appear legitimate.
Mitigation Recommendations
Organizations should prioritize the following steps to defend against PlushDaemon and similar adversary in the middle attacks:
- Update and secure router firmware to minimize exposure to vulnerabilities
- Replace default administrator credentials on all network devices
- Enforce DNS security through DNSSEC capable resolvers and encrypted DNS protocols
- Ensure software update mechanisms use authenticated HTTPS connections
- Monitor DNS anomalies and unexpected redirection events
- Use network monitoring tools to detect malicious ELF binaries on embedded devices
- Deploy anti malware solutions capable of detecting LittleDaemon, DaemonicLogistics, and SlowStepper
Users who suspect compromise should also perform a full scan of their machine with reputable anti malware solutions. We recommend scanning with Malwarebytes to identify and remove known PlushDaemon components.
PlushDaemon’s continued focus on DNS hijacking, router compromise, and trojanized update deployments marks it as one of the more technically capable espionage groups active today. Its toolset offers persistent access, multi stage infection capabilities, and highly adaptive command and control mechanisms. Continued analysis of EdgeStepper, LittleDaemon, DaemonicLogistics, and SlowStepper reveals an evolving ecosystem of tools designed to silently compromise victims through channels users implicitly trust.
For additional reading on breaches and emerging cyber threats, visit the Botcrawl Data Breaches section and our Cybersecurity archive.
