A China-aligned threat group referred to as PlushDaemon has extended their ongoing and extensive espionage efforts with the use of an unknown network implant referred to as EdgeStepper.
According to a new advisory by ESET, the primary function of the EdgeStepper tool is to silently redirect DNS traffic coming into compromised network devices to an attacker-controlled DNS server. This allows the attacker to intercept a legitimate request for a software update, and replace the legitimate payload with a malicious one.
Since 2018, PlushDaemon has targeted individuals and organizations throughout the US, China, Taiwan, Hong Kong, South Korea, New Zealand, and Cambodia.
PlushDaemon has traditionally utilized a custom-made back door referred to as “SlowStepper” to gain entry into systems. They have also leveraged malicious updates, vulnerabilities in Web-servers, and what appears to be a single supply chain attack in 2023 to gain access to a system.
EdgeStepper Implant and Methods of Attack
As for EdgeStepper, “according to the symbols in the binary, [it] was originally called dns_cheat_v2,” explained ESET researchers Facundo Muñoz and Dávid Gábriš. “It was developed in Go using the open-source GoFrame framework, and compiled as an ELF file for MIPS32 processors.”
After the implant is installed on a compromised system, it silently redirects all DNS requests to a malicious resolution node.
ESET discovered that once the DNS queries were redirected to a hijacking server, they typically delivered a first stage downloader referred to as LittleDaemon, which in turn downloaded a second downloader referred to as DaemonicLogistics, whichthen downloaded and installed SlowStepper.
All three components utilized lightweight encryption and process checks to prevent simple detection and removal of the malware.
ESET discovered through their telemetry that PlushDaemon has been utilizing this update-hijacking chain against victims from 2019 to 2025, and included universities, electronics manufacturing companies, automotive firms, and other organizations.
Network security teams are recommended to monitor for any unusual DNS activity, validate all software updates, and implement measures to secure their network edge devices in order to prevent similar types of AITM attacks.
