PlushDaemon APT Uses Novel EdgeStepper Implant for Adversary-in-the-Middle Attacks Since 2018

ESET researchers have detailed the operations of PlushDaemon, a China-aligned advanced persistent threat (APT) group active since at least 2018, which employs a previously undocumented network implant named EdgeStepper to conduct adversary-in-the-middle (AitM) attacks. The group targets individuals and organizations across the United States, Taiwan, China, Hong Kong, New Zealand, and Cambodia, with attacks observed from 2019 through 2025. PlushDaemon's primary objective is espionage, achieved by hijacking legitimate software update processes to deliver malicious payloads.

EdgeStepper, internally named dns_cheat_v2 by its developers, is an ELF binary compiled for MIPS32 processors and written in Go using the GoFrame framework. Once deployed on a compromised network device—such as a router—EdgeStepper redirects all DNS queries from machines in the targeted network to a malicious DNS node. This node checks whether the queried domain is associated with software updates; if so, it responds with the IP address of a hijacking node controlled by the attackers. The hijacking node then serves malicious updates in place of legitimate ones, effectively compromising the software update chain.

PlushDaemon's attack chain begins with initial access to a network device, likely achieved by exploiting vulnerabilities or using weak default credentials. After deploying EdgeStepper, the group uses two additional downloaders—LittleDaemon and DaemonicLogistics—to deliver their signature backdoor, SlowStepper, onto Windows machines. The researchers observed that the hijacking process specifically targeted updates for popular Chinese software, such as Sogou Pinyin, but noted that many other applications are similarly affected.

The victimology of PlushDaemon spans multiple regions and sectors. In the United States, compromises were recorded in 2019; in Taiwan, attacks occurred in 2021 and 2024; in China, a university in Beijing and a Taiwanese electronics manufacturer were targeted between 2021 and 2024; in Hong Kong, incidents were noted in 2023; in New Zealand, attacks happened in 2023; and in Cambodia, a company in the automotive sector and a branch of a Japanese manufacturing firm were compromised in 2025. This geographic and sectoral diversity underscores the group's broad espionage focus.

ESET's analysis of EdgeStepper revealed that it decrypts its configuration from /etc/bioset.conf using AES CBC with the key and IV derived from the string "I Love Go Frame!". The decrypted configuration specifies a listening port and a malicious DNS host. The implant's design suggests it is part of a larger toolkit, though other components have not yet been recovered. The researchers also noted that in some cases, the DNS node and hijacking node are the same server, simplifying the attack infrastructure.

PlushDaemon's activities extend beyond AitM attacks. The group has also been observed exploiting vulnerabilities in web servers for initial access and, in 2023, conducted a supply-chain attack against a South Korean VPN service. This multi-pronged approach highlights the group's adaptability and persistence. The SlowStepper backdoor, which is deployed via the downloaders, provides the attackers with remote access to compromised systems, enabling data exfiltration and further lateral movement.

The discovery of PlushDaemon and EdgeStepper adds to the growing body of evidence that state-sponsored threat actors are increasingly targeting network infrastructure and software update mechanisms. By compromising routers and other network devices, attackers can intercept and manipulate traffic at a fundamental level, bypassing endpoint security measures. Organizations are advised to monitor for unusual DNS activity, enforce strong credentials on network devices, and implement update integrity verification mechanisms to mitigate such threats.