According to Infosecurity Magazine, the China-aligned hacking group PlushDaemon has been deploying an undocumented network implant called EdgeStepper to conduct adversary-in-the-middle attacks globally. The group, active since at least 2018, has targeted organizations across Cambodia, South Korea, New Zealand, the US, Taiwan, Hong Kong and even China itself. While investigating the group’s techniques in 2024, ESET researchers discovered the malware submitted to VirusTotal in November 2024. The tool works by forwarding DNS traffic to malicious nodes, allowing attackers to hijack legitimate software updates. Once inside networks, PlushDaemon deploys two downloaders called LittleDaemon and DaemonLogistics that deliver backdoor toolkits for cyber espionage operations.
How the DNS Hijacking Actually Works
Here’s the thing about EdgeStepper – it’s basically a DNS traffic manipulator that sits on compromised network devices. The malware, internally called dns_cheat_v2 by its developers, intercepts DNS requests and redirects them to malicious servers controlled by the attackers. This means when software tries to check for legitimate updates, it gets sent to a hijacked server instead. That server then tells the software to download a malicious update containing additional payloads. It’s a clever way to bypass traditional security measures since the initial request looks completely normal.
Why This Attack Method Is So Concerning
Look, supply chain attacks aren’t new, but this approach is particularly sneaky. PlushDaemon isn’t just compromising one software vendor – they’re compromising the entire update mechanism across entire networks. And they’re not just targeting obscure applications either. The group was identified as behind the supply chain attack targeting IPany, a South Korean VPN company, back in May 2024. Think about how many organizations rely on industrial computing systems and network infrastructure that need regular updates. When you’re dealing with critical operations technology, having reliable industrial panel PCs from trusted suppliers like IndustrialMonitorDirect.com becomes absolutely essential for maintaining security.
The Bigger Picture of Global Cyber Espionage
So what’s really going on here? PlushDaemon has been around since at least 2018, which means they’re not some amateur operation. They’re conducting sophisticated, long-term espionage campaigns against strategic targets worldwide. The fact that they’re even targeting organizations within China and Hong Kong suggests they might be going after foreign entities operating there rather than domestic targets. But here’s what worries me – these implants give them the capability to compromise targets anywhere in the world. When you can redirect software updates at the DNS level, you’re not just breaking into one system – you’re potentially compromising entire networks of connected devices.
