ESET Exposes PlushDaemon’s Global Espionage Campaign

New EdgeStepper tool hijacks software-update traffic worldwide

ESET researchers have revealed a new stage in the operations of PlushDaemon, a China-aligned cyberespionage group active since at least 2018. The group has been deploying a previously undocumented implant called EdgeStepper to compromise network devices and redirect DNS traffic. By hijacking legitimate software-update channels, attackers covertly install malware on targeted systems. This discovery highlights the growing sophistication of adversary-in-the-middle attacks.

EdgeStepper and Its Role

EdgeStepper reroutes DNS queries to rogue servers that intercept and replace legitimate update traffic. Through this mechanism, PlushDaemon deploys downloaders such as LittleDaemon and DaemonicLogistics onto Windows machines. These tools eventually deliver SlowStepper, a modular backdoor with dozens of components designed for espionage. ESET confirmed that several widely used Chinese software applications had their update mechanisms manipulated during these operations.

Once installed, EdgeStepper immediately begins redirecting DNS requests. Malicious nodes check whether domains relate to software updates and respond with hijacking server addresses. In some cases, servers act both as DNS nodes and hijacking servers, simplifying the attack chain. According to ESET researcher Facundo Muñoz, this technique allowed PlushDaemon to compromise multiple popular applications.

Global Reach and Victims

PlushDaemon’s campaigns have targeted organizations across the United States, Taiwan, Hong Kong, Cambodia, New Zealand, and mainland China. Victims included a Beijing academic institution, a Taiwanese electronics manufacturer, an automotive company, and the regional operations of a Japanese enterprise. Initial access often came through compromised routers or similar devices, exploiting vulnerabilities or weak administrative passwords. Once inside, attackers deployed EdgeStepper or other malicious tools to maintain persistence.

The group has a history of using custom malware, with SlowStepper serving as its hallmark espionage backdoor. Past operations included exploiting web-server vulnerabilities and conducting a supply-chain attack in 2023. These activities demonstrate PlushDaemon’s ability to adapt its methods over time. ESET’s findings suggest the group continues to refine its techniques to expand its reach.

Technical Analysis and Ongoing Research

ESET’s analysis shows that PlushDaemon’s infrastructure is designed to intercept traffic at scale. By combining DNS manipulation with modular backdoors, the group can monitor and infiltrate systems globally. Researchers emphasize that the attacks highlight the risks of insecure update mechanisms. Organizations relying on software updates remain vulnerable if network devices are compromised.

ESET has published a detailed technical breakdown on its WeLiveSecurity blog. Updates are also shared through platforms including X, BlueSky, and Mastodon. The company continues to track PlushDaemon’s activities and provide insights into its evolving tactics. Ongoing research aims to help organizations strengthen defenses against adversary-in-the-middle attacks.