A newly documented cyber‑espionage campaign known as PlushDaemon demonstrates how attackers can abuse trusted software update mechanisms by first compromising routers and then hijacking update traffic. According to new research from ESET, the group uses a custom toolset, including the EdgeStepper malware, to silently redirect update requests and deliver backdoors instead of legitimate patches.
PlushDaemon cyber‑espionage campaign: targets, geography, and attribution
ESET traces PlushDaemon activity back to at least 2018, with victims identified in the United States, China, Taiwan, Hong Kong, South Korea, and New Zealand. The targeting includes both individuals and organizations, which is typical for long‑term espionage operations rather than broad financially motivated malware campaigns.
Observed victims span electronics manufacturers, universities, and a factory of a major Japanese automotive company in Cambodia. The combination of targets, infrastructure, and tradecraft aligns with techniques commonly associated with Chinese state‑linked APT (Advanced Persistent Threat) groups, although there is no public, formal state‑level attribution to date. This lack of official attribution is common in complex espionage cases, where proving sponsorship beyond reasonable doubt is difficult.
Attack chain: from router compromise to malicious software updates
Router compromise and DNS hijacking via EdgeStepper
The PlushDaemon operation centers on compromising network edge devices, particularly home and small‑office routers. Attackers exploit known vulnerabilities or abuse weak and default passwords to gain administrative access. Once inside, they deploy EdgeStepper, a Go‑based ELF binary designed to run directly on the router.
EdgeStepper implements an adversary‑in‑the‑middle (AitM) model. It intercepts DNS queries and selectively redirects them to attacker‑controlled DNS servers when they match specific domains, primarily those used for software update services. This allows PlushDaemon to manipulate only targeted traffic while keeping the rest of the network behavior normal, significantly reducing the chances of detection.
Abusing software update infrastructure for malware delivery
Since around 2019, ESET observed PlushDaemon shifting almost entirely to a model based on software update hijacking. Unlike classical supply‑chain attacks, where the vendor’s infrastructure or build process is compromised, PlushDaemon leaves vendors untouched and instead tampers with update traffic “in transit” at the router level.
EdgeStepper filters DNS requests and only hijacks those linked to update services. ESET reports documented abuse of update traffic for the popular Chinese input method Sogou Pinyin, along with other undisclosed software products. From the user’s perspective, the process appears identical to a routine update, but the downloaded “update” is, in reality, malware controlled by the attackers.
Multi‑stage malware toolkit: LittleDaemon, DaemonicLogistics, and SlowStepper
When a victim installs the spoofed update, the first component executed is a loader called LittleDaemon, disguised as a DLL named popup_4.2.0.2246.dll. This initial stage contacts the attacker’s infrastructure and retrieves the next module in the chain, known as DaemonicLogistics.
DaemonicLogistics is decrypted and executed directly in memory, a technique often used to evade traditional antivirus solutions that primarily inspect files on disk. Its main role is to load the primary backdoor, SlowStepper, which provides long‑term access and control over the compromised system.
SlowStepper backdoor: capabilities and data theft
The SlowStepper backdoor offers a full set of remote access Trojan (RAT) capabilities, including detailed system reconnaissance, file management, and remote command execution. It can also fetch and run additional Python‑based espionage modules tailored for stealing browser data, capturing keystrokes, and extracting stored credentials.
SlowStepper is not entirely new. ESET previously observed it in an intrusion against users of the South Korean VPN service IPany, where attackers compromised the provider’s official website and distributed a trojanized installer. PlushDaemon’s current campaign generalizes this idea: instead of compromising a single vendor, the group weaponizes router‑level DNS hijacking to target multiple applications’ update channels.
Why software update hijacking via routers is a global security risk
The PlushDaemon operation underscores how router compromise and software update hijacking can bypass many conventional defenses. Because the attack abuses legitimate and expected network flows, it can:
- Bypass email security and user awareness training, as it does not rely on phishing;
- Exploit inherent trust in software vendors and their automatic update mechanisms;
- Blend into normal update traffic, supporting stealthy, long‑term persistence in networks;
- Potentially impact both office IT systems and industrial or OT environments that depend on affected software.
Real‑world incidents such as SolarWinds Orion and CCleaner showed how supply‑chain compromises can ripple through thousands of organizations at once. PlushDaemon demonstrates that even without breaching a vendor, adversary‑in‑the‑middle attacks on updates can deliver similar impact if routers and DNS traffic are left unprotected.
Defensive measures against adversary‑in‑the‑middle software update attacks
Mitigating risks from campaigns like PlushDaemon requires a combination of network hygiene, update hardening, and continuous monitoring. Key measures include:
- Router and network device security: keep firmware updated, disable unnecessary remote administration, enforce strong unique passwords, and phase out unsupported devices.
- DNS and update traffic control: monitor for anomalous DNS patterns, use trusted or encrypted DNS resolvers, and verify which domains and IPs are used for critical software updates.
- Update integrity validation: enforce validation of digital signatures, restrict update sources via allowlists at firewall and proxy levels, and rely on official repositories wherever possible.
- Network detection and EDR: deploy NDR/EDR solutions capable of detecting unusual process behavior, unknown binaries, and outbound connections to suspicious infrastructure.
- Vendor‑side supply‑chain security: for software producers, harden build pipelines, update servers, and signing infrastructure, and perform regular security audits.
PlushDaemon’s use of EdgeStepper on routers and the SlowStepper backdoor on endpoints highlights that the modern security perimeter extends far beyond servers and workstations. Home and edge routers, DNS resolution paths, and automated software update mechanisms are now critical attack surfaces. Organizations that rely heavily on automatic updates should systematically review how updates are obtained, validated, and monitored, and invest in securing network infrastructure and traffic visibility to reduce the likelihood and impact of similar cyber‑espionage operations.
