Ethical Hacking News
Malicious hackers known as "PlushDaemon" have been hijacking software updates in supply-chain attacks, allowing them to intercept sensitive information from targeted individuals and organizations. This latest threat highlights the importance of robust cybersecurity measures and serves as a stark reminder of the ongoing threat landscape in cybersecurity.
PlushDaemon, a China-linked threat actor, has been hijacking software updates in supply-chain attacks.The group has linked to several high-profile cyberattacks since 2018, including those against US, Chinese, Taiwanese, and South Korean targets.Malicious updates allow hackers to intercept sensitive information from targeted individuals and organizations.The attack method involves exploiting vulnerabilities or weak admin passwords to gain access to routers and redirect software-update traffic to their own infrastructure.Malware such as SlowStepper can collect detailed system information, steal data, and intercept keystrokes.Organizations must take immediate action to protect themselves from PlushDaemon's malicious activities by ensuring timely software updates, strong passwords, and secure routers.
In a shocking turn of events, security researchers have discovered that a China-linked threat actor known as "PlushDaemon" has been hijacking software updates in supply-chain attacks. This malicious activity allows the hackers to intercept sensitive information from targeted individuals and organizations.
The PlushDaemon group has been linked to several high-profile cyberattacks since 2018, with custom malware such as SlowStepper backdoor being used against victims in the United States, China, Taiwan, Hong Kong, South Korea, and New Zealand. The threat actor has compromised electronics manufacturers, universities, and a Japanese automotive manufacturing plant in Cambodia.
According to ESET researchers, PlushDaemon has relied on malicious updates to breach target networks since 2019. This method of attack involves the hackers gaining access to routers by exploiting known vulnerabilities or weak admin passwords, installing an implant called EdgeStepper, and then redirecting software-update traffic to their own infrastructure.
EdgeStepper works by intercepting DNS queries and redirecting them to a malicious DNS node after confirming that the domain is employed for delivering software updates. When a victim tries to update their software, they receive a malicious DLL file disguised as "popup_4.2.0.2246.dll". This malware fetches another dropper named DaemonicLogistics, which retrieves PlushDaemon's signature backdoor, SlowStepper.
The SlowStepper malware allows hackers to collect detailed system information, run extensive file operations, execute commands, and run various Python-based spyware tools that can steal data from the browser, intercept keystrokes, and collect credentials. This malicious software has been previously documented in attacks against users of the South Korean VPN product IPany.
The PlushDaemon group's use of supply-chain attacks to hijack software updates is a sophisticated method of stealing sensitive information. By exploiting vulnerabilities in software update traffic, the hackers can gain access to highly classified data and other sensitive materials. This highlights the importance of robust cybersecurity measures in place to prevent such attacks.
In light of this new threat, organizations must take immediate action to protect themselves from PlushDaemon's malicious activities. This includes ensuring that software updates are applied promptly, using strong passwords and keeping routers up-to-date with the latest security patches. Individuals can also take steps to protect themselves by being cautious when updating their software and regularly scanning for malware.
The discovery of PlushDaemon's involvement in supply-chain attacks serves as a stark reminder of the ongoing threat landscape in cybersecurity. As technology continues to advance, so too will the methods used by malicious actors to steal sensitive information. It is essential that individuals and organizations stay vigilant and take proactive measures to protect themselves from such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/PlushDaemon-Hackers-Hijack-Software-Updates-to-Steal-Sensitive-Information-ehn.shtml
https://www.bleepingcomputer.com/news/security/plushdaemon-hackers-hijack-software-updates-in-supply-chain-attacks/
https://www.pcrisk.com/removal-guides/32007-slowstepper-malware
https://thehackernews.com/2025/11/edgestepper-implant-reroutes-dns.html
https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/
https://thehackernews.com/2025/01/plushdaemon-apt-targets-south-korean.html
Published: Wed Nov 19 04:12:43 2025 by llama3.2 3B Q4_K_M
