Cyber espionage group PlushDaemon hijacks software updates via compromised network devices

Researchers at ESET have uncovered a sophisticated cyberespionage campaign by the China-aligned group PlushDaemon, exploiting trusted software update channels and compromised network devices to infiltrate global targets across sectors and regions.

Researchers at cybersecurity firm ESET have uncovered a covert and advanced cyberespionage campaign operated by a China-aligned threat group known as PlushDaemon. This group has been quietly hijacking software update traffic via compromised network devices, revealing how seemingly innocuous routers can serve as gateways for global cyberattacks. The newly identified implant, called EdgeStepper, manipulates DNS requests on hacked network devices to divert software update queries to malicious servers controlled by PlushDaemon, allowing for the installation of espionage tools on victim machines without raising suspicion.

The modus operandi involves EdgeStepper intercepting DNS requests and rerouting them to external DNS servers under the attackers’ control. These servers respond with IP addresses pointing to nodes that hijack software updates. Through this method, the group pushes downloaders named LittleDaemon and DaemonicLogistics onto the victim’s system. These downloaders then facilitate deployment of a backdoor toolkit known as SlowStepper, a sophisticated implant comprising dozens of components designed for espionage activities. According to ESET researcher Facundo Muñoz, this redirection targets update servers of popular Chinese software products, underscoring the attackers’ focus on leveraging trusted channels to deliver their payload.

PlushDaemon has demonstrated a broad geographic and sectoral reach, targeting entities across the United States, New Zealand, Cambodia, Hong Kong, Taiwan, South Korea, and mainland China. Its victims encompass universities, electronics manufacturers, automotive companies, and other industrial and commercial organisations. Notably, the group has previously exploited web server vulnerabilities and carried out a supply chain attack against a South Korean VPN provider by replacing legitimate installers with malware-laden versions. This supply chain compromise deployed SlowStepper on victims’ systems, further exemplifying PlushDaemon’s adaptability in breaching networks through various vectors.

The group has been active since at least 2019, maintaining a persistent presence through evolving techniques. Cybersecurity firm data reveals that PlushDaemon engages in espionage targeting individuals and organisations in key East Asian markets and Western regions alike. The SlowStepper backdoor, central to its operations, possesses extensive capabilities for data collection and infiltration, making it a formidable tool in the group’s cyber arsenal. The supply chain attacks, especially against trusted entities like VPN providers, have elevated PlushDaemon’s threat profile, calling attention to the critical need for vigilant security measures in software update processes.

ESET’s findings illustrate the growing sophistication of nation-aligned cyber espionage actors who exploit trusted network components and widely used software to infiltrate target networks stealthily. By compromising a single network device and rerouting DNS traffic, PlushDaemon can install backdoors that enable persistent surveillance and data exfiltration on a global scale. This case highlights the urgent importance of robust credential management, regular software patching, and monitoring of update channels to mitigate such supply chain and DNS hijacking threats.

In broader cybersecurity efforts, ESET has been involved in significant operations against malware threats, collaborating with tech companies to disrupt dangerous infostealers and botnets. This collective vigilance remains crucial in countering the sophisticated tactics employed by APT groups like PlushDaemon, whose operations blur conventional geographic and sector boundaries in pursuit of intelligence gathering.

📌 Reference Map:

• ^[1] (Help Net Security) – Paragraph 1, Paragraph 2, Paragraph 3, Paragraph 4, Paragraph 5, Paragraph 6
• ^[2] (ESET Press Release) – Paragraph 3, Paragraph 4
• ^[3] (Bleeping Computer) – Paragraph 3, Paragraph 4
• ^[4] (Cybersecurity Services) – Paragraph 3, Paragraph 4
• ^[5] (SNS Mideast) – Paragraph 4
• ^[6] (TechRadar) – Paragraph 4
• ^[7] (GlobeNewswire) – Paragraph 6

Source: Noah Wire Services