Sometimes an attack hides in the most ordinary corner of a network. ESET researchers say a China aligned threat group known as PlushDaemon has been quietly using hacked routers to steer software updates toward its own servers. The discovery shows how a small foothold in a single device can become a path into global targets.
A new implant built to redirect everything
ESET found that PlushDaemon uses an implant called EdgeStepper. It sits on a compromised network device and sends every DNS request to an external DNS server controlled by the group. That server then answers with the location of another node that hijacks software updates. The goal is to push downloaders named LittleDaemon and DaemonicLogistics onto a victim’s machine and then deploy a backdoor toolkit called SlowStepper.
SlowStepper contains dozens of components used for espionage. With this toolset, PlushDaemon can reach targets in any location.
Illustration of the first stages of the attack (Source: ESET)
A long list of targets across regions and industries
PlushDaemon has been active across several countries, including the United States, New Zealand, Cambodia, Hong Kong, Taiwan, and mainland China. Victims include a university in Beijing, an electronics manufacturer in Taiwan, an automotive sector company, and a branch of a Japanese manufacturing firm. The attack pattern shows interest in universities as well as industrial and commercial environments.
ESET says the group has a history of exploiting web server flaws. It also carried out a supply chain attack. The new research fits into a broader picture of a group willing to use any available path to reach its targets.
How the attackers move in
In the cases studied, PlushDaemon first gained access to a network device the target might use. The researchers believe this happened through software vulnerabilities or weak administrative credentials. Once the attackers controlled the device, they deployed EdgeStepper and sometimes other tools.
“EdgeStepper begins redirecting DNS queries to a malicious DNS node that verifies whether the domain in the DNS query message is related to software updates, and if so, it replies with the IP address of the hijacking node. Alternatively, we have also observed that some servers are both the DNS node and the hijacking node; in those cases, the DNS node replies to DNS queries with its own IP address,” says ESET researcher Facundo Muñoz. “Several popular Chinese software products had their updates hijacked by PlushDaemon via EdgeStepper,” he adds.
By steering traffic meant for trusted update servers, the attackers gain a method to install their own payloads without raising alarms.