Ethical Hacking News
The "PlushDaemon" threat actor has been observed utilizing a previously undocumented Go-based network backdoor codenamed EdgeStepper to facilitate AitM attacks. This complex supply chain attack utilizes DNS hijacking and malware rerouting, allowing the adversary to compromise targets worldwide.
The PlushDaemon threat actor uses a previously undocumented Go-based network backdoor called EdgeStepper to facilitate AitM attacks. The attack reroutes DNS queries to an external, malicious hijacking node, allowing the adversary to compromise targets worldwide through supply chain and AitM poisoning attacks. The attack starts with compromising an edge network device, such as a router, and deploying EdgeStepper to redirect DNS queries to a malicious DNS node. Malicious software updates are hijacked by the attacker-controlled infrastructure, allowing for initial access vectors for further malware deployment. Organizations must implement robust security measures, including monitoring software updates closely, updating network devices regularly, and conducting vulnerability assessments. Developers must prioritize defense-in-depth strategies, incorporating robust security protocols into their development process, collaborating with security experts, and implementing penetration testing exercises.
The recent revelations about the "PlushDaemon" threat actor, a China-aligned group known for its sophisticated supply chain attacks, have shed light on a complex and evolving landscape of cyber espionage. This particular threat actor has been observed utilizing a previously undocumented Go-based network backdoor codenamed EdgeStepper to facilitate adversary-in-the-middle (AitM) attacks.
According to ESET security researcher Facundo Muñoz, the threat actor in question, PlushDaemon, has been using this malicious network backdoor to reroute DNS queries to an external, malicious hijacking node. This effectively reroutes traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure. Such a mechanism allows the adversary to compromise targets worldwide by leveraging AitM poisoning and supply chain attacks.
The attack commences with PlushDaemon compromising an edge network device, such as a router, which is likely to be connected to the target's network. This is accomplished through exploiting a security flaw in the software or via weak credentials, allowing the adversary to deploy caEdgeStepper. Upon deployment, EdgeStepper redirects DNS queries to a malicious DNS node that verifies whether the domain in the DNS query message is related to software updates.
If so, it replies with the IP address of the hijacking node. This allows the adversary to intercept and manipulate legitimate software update requests, which can be used as an initial access vector for further malware deployment. The attack specifically targets Chinese software, including Sogou Pinyin, and attempts to hijack their update channels via EdgeStepper.
Once a target is infected with the malware, it begins communicating with the attacker node to fetch a downloader referred to as DaemonicLogistics if SlowStepper is not running on the infected system. This downloader's primary purpose is to download the SlowStepper backdoor from the server and execute it. SlowStepper supports an extensive set of features to gather system information, files, browser credentials, extract data from various messaging apps, and even uninstall itself.
It is imperative for organizations to recognize the severity of this threat and take necessary precautions against supply chain attacks and DNS hijacking. By implementing robust security measures, such as monitoring software updates closely, ensuring that network devices are regularly updated with patches, and conducting thorough vulnerability assessments, organizations can reduce their susceptibility to such threats.
Furthermore, adhering to secure coding practices and keeping in mind the ever-evolving threat landscape, developers must prioritize defense-in-depth strategies when developing software. This includes incorporating robust security protocols into their development process, collaborating closely with security experts to identify vulnerabilities early on, and implementing penetration testing exercises to ensure their applications are resilient against various attack vectors.
In conclusion, the PlushDaemon threat highlights the ongoing struggle between cybersecurity professionals and sophisticated adversaries in the realm of supply chain attacks and DNS hijacking. As the threat actor continues to evolve its tactics, it is essential for organizations and developers to remain vigilant and proactive in defending against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-PlushDaemon-Threat-A-Sophisticated-Supply-Chain-Attack-Utilizing-DNS-Hijacking-and-Malware-Rerouting-ehn.shtml
https://thehackernews.com/2025/11/edgestepper-implant-reroutes-dns.html
https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/
https://thehackernews.com/2025/01/plushdaemon-apt-targets-south-korean.html
https://www.bleepingcomputer.com/news/security/plushdaemon-hackers-hijack-software-updates-in-supply-chain-attacks/
Published: Wed Nov 19 04:34:41 2025 by llama3.2 3B Q4_K_M
