A China-linked cyberespionage group known as PlushDaemon is hijacking software-update traffic using a network-level implant called ‘EdgeStepper,’ according to new research from ESET.
Active since at least 2018, PlushDaemon has targeted organizations and individuals across the United States, China, Taiwan, Hong Kong, South Korea, and New Zealand, deploying a range of custom tools including the previously documented SlowStepper backdoor. Victims span electronics manufacturers, universities, and a Japanese automotive plant in Cambodia.
Since 2019, the group has increasingly compromised networks via malicious updates. Attackers first gain access to vulnerable or poorly secured network devices (for example, routers), install the EdgeStepper implant, and then redirect software-update traffic to servers under their control.
EdgeStepper is in Golang and compiled as an ELF binary and designed to perform adversary-in-the-middle attacks. It intercepts DNS queries and checks whether they relate to software-update domains. If so, the query is rerouted to a malicious DNS node, which returns a link to a Windows downloader named ‘LittleDaemon,’ disguised as a benign DLL file. LittleDaemon then retrieves and launches a second-stage dropper called ‘DaemonicLogistics’ directly in memory.
DaemonicLogistics ultimately deploys SlowStepper, PlushDaemon’s custom backdoor. SlowStepper is capable of gathering extensive system information, running commands, performing file operations, and deploying Python-based spyware modules that can steal browser data, capture keystrokes, and harvest credentials. The backdoor was previously seen in attacks that distributed a trojanized installer for the South Korean VPN service IPany through the vendor’s own website.
ESET noted that PlushDaemon has hijacked update traffic for multiple products, including Sogou Pinyin, the widely used Chinese input method for typing Chinese characters, suggesting the campaign has broad reach and is not limited to a single software ecosystem.