ETFOptimize | High-performance ETF-based Investment Strategies

Quantitative strategies, Wall Street-caliber research, and insightful market analysis since 1998.
ETFOptimize | HOME
Close Window
Recent Quotes
My Watchlist
Indicators
Markets
Stocks
ETFs
Tools
Markets:
Overview
News
Currencies
International
Treasuries

ESET Research: Chinese PlushDaemon group compromises network devices for adversary-in-the-middle attacks

By: via GlobeNewswire
  • ESET researchers discovered that China-aligned threat group PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant we've named EdgeStepper.
  • It reroutes traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure.
  • Several popular Chinese software products had their updates hijacked by PlushDaemon via EdgeStepper; the aim of this attack is to deploy their tools in targeted machines to conduct cyberespionage.
  • Downloaders LittleDaemon and DaemonicLogistics are used to deploy the group’s signature SlowStepper backdoor on Windows machines.

MONTREAL and BRATISLAVA, Slovakia, Nov. 19, 2025 (GLOBE NEWSWIRE) -- ESET researchers discovered that China-aligned threat group PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented implant for network devices (e.g., a router) that ESET named EdgeStepper, which redirects all DNS queries to a malicious external DNS server that replies with the address of another node that performs the hijacking of updates. Effectively rerouting software updates traffic to attacker-controlled infrastructure with the aim of deploying the downloaders LittleDaemon and DaemonicLogistics in targeted machines and to ultimately distribute the SlowStepper implant. SlowStepper is a backdoor toolkit with dozens of components used for cyberespionage. These implants give PlushDaemon the capability to compromise targets anywhere in the world.

Since 2019, this China-aligned group has deployed attacks in the United States, New Zealand, Cambodia, Hong Kong, Taiwan, and mainland China itself. Among their victims were a university in Beijing, a Taiwanese company that manufacturers electronics, a company in the automotive sector, and a branch of a Japanese company in the manufacturing sector.

In the discovered attack scenario, PlushDaemon first compromises a network device to which their target might connect; the compromise is probably achieved by exploiting a vulnerability in the software running on the device or through weak and/or well-known default administrative credentials, enabling the attackers to deploy EdgeStepper (and possibly other tools).

“Then, EdgeStepper begins redirecting DNS queries to a malicious DNS node that verifies whether the domain in the DNS query message is related to software updates, and if so, it replies with the IP address of the hijacking node. Alternatively, we have also observed that some servers are both the DNS node and the hijacking node; in those cases, the DNS node replies to DNS queries with its own IP address,” says ESET researcher Facundo Muñoz, who discovered and analyzed the attack. “Several popular Chinese software products had their updates hijacked by PlushDaemon via EdgeStepper,” he adds.

PlushDaemon is a China-aligned threat actor active since at least 2018 that engages in espionage operations against individuals and entities in East Asia-Pacific and the United States. It uses a custom backdoor that ESET tracks as SlowStepper. In the past, ESET Research has observed the group gaining access via vulnerabilities in web servers, and in 2023 it performed a supply-chain attack.

For a more detailed analysis of the latest PlushDaemon activity, check out the latest ESET Research blogpost “PlushDaemon compromises network devices for adversary-in-the-middle attacks” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

Geographical distribution of PlushDaemon’s victims since 2019.

Geographical distribution of PlushDaemon’s victims since 2019

About ESET

ESET® provides cutting-edge cybersecurity to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown — securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts, and blogs.

A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/33ceb5df-d620-4588-bda8-7d7131b16e25


Media contact:
Jessica Beffa
jessica.beffa@eset.com
720-413-4938

Primary Logo

Recent Quotes

View More
Symbol Price Change (%)
AMZN  220.69
+3.55 (1.63%)
AAPL  271.49
+5.24 (1.97%)
AMD  203.78
-2.24 (-1.09%)
BAC  51.56
+0.56 (1.10%)
GOOG  299.65
+9.67 (3.33%)
META  594.25
+5.10 (0.87%)
MSFT  472.12
-6.31 (-1.32%)
NVDA  178.88
-1.76 (-0.97%)
ORCL  198.76
-11.93 (-5.66%)
TSLA  391.09
-4.14 (-1.05%)
Stock Quote API & Stock News API supplied by www.cloudquote.io
Quotes delayed at least 20 minutes.
By accessing this page, you agree to the Privacy Policy and Terms Of Service.
© 2025 FinancialContent. All rights reserved.


 
IntelligentValue Home
Close Window

DISCLAIMER

All content herein is issued solely for informational purposes and is not to be construed as an offer to sell or the solicitation of an offer to buy, nor should it be interpreted as a recommendation to buy, hold or sell (short or otherwise) any security.  All opinions, analyses, and information included herein are based on sources believed to be reliable, but no representation or warranty of any kind, expressed or implied, is made including but not limited to any representation or warranty concerning accuracy, completeness, correctness, timeliness or appropriateness. We undertake no obligation to update such opinions, analysis or information. You should independently verify all information contained on this website. Some information is based on analysis of past performance or hypothetical performance results, which have inherent limitations. We make no representation that any particular equity or strategy will or is likely to achieve profits or losses similar to those shown. Shareholders, employees, writers, contractors, and affiliates associated with ETFOptimize.com may have ownership positions in the securities that are mentioned. If you are not sure if ETFs, algorithmic investing, or a particular investment is right for you, you are urged to consult with a Registered Investment Advisor (RIA). Neither this website nor anyone associated with producing its content are Registered Investment Advisors, and no attempt is made herein to substitute for personalized, professional investment advice. Neither ETFOptimize.com, Global Alpha Investments, Inc., nor its employees, service providers, associates, or affiliates are responsible for any investment losses you may incur as a result of using the information provided herein. Remember that past investment returns may not be indicative of future returns.

Copyright © 1998-2017 ETFOptimize.com, a publication of Optimized Investments, Inc. All rights reserved.