PlushDaemon Compromises Network Devices for Adversary-in-the-Middle Attacks
www.welivesecurity.com/en/eset-r…
ESET researchers have detailed how PlushDaemon conducts adversary-in-the-middle attacks using a previously undocumented network implant called EdgeStepper. The implant redirects all DNS queries to an external hijacking node, effectively rerouting traffic from legitimate update infrastructure to attacker-controlled servers.
PlushDaemon is a China-aligned threat actor active since at least 2018, focused on espionage operations targeting individuals and entities in China, Taiwan, Hong Kong, Cambodia, South Korea, the United States and New Zealand. The group uses a custom backdoor tracked as SlowStepper and relies heavily on hijacking legitimate software-update traffic through the EdgeStepper implant. ESET has also observed PlushDaemon exploiting vulnerabilities in web servers and conducting a supply-chain attack in 2023.
