{ "id": "59322744-9d41-49f5-89df-c863d381edcc", "created_at": "2026-04-06T00:19:58.338651Z", "updated_at": "2026-04-10T03:38:09.938912Z", "deleted_at": null, "sha1_hash": "9bebbcc0ca9ea9c5f9cc3bedc4e80df11b0df574", "title": "PlushDaemon compromises network devices for adversary-in-the-middle attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 581574, "plain_text": "PlushDaemon compromises network devices for adversary-in-the-middle attacks\r\nBy Facundo MuñozDávid Gábriš\r\nArchived: 2026-04-05 18:35:01 UTC\r\nESET researchers provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a\r\npreviously undocumented network implant that we have named EdgeStepper, which redirects all DNS queries to\r\nan external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for\r\nsoftware updates to attacker-controlled infrastructure.\r\nKey points in this blogpost:\r\nWe analyzed the network implant EdgeStepper to understand how PlushDaemon attackers\r\ncompromise their targets.\r\nWe provide an analysis of LittleDaemon and DaemonicLogistics, two downloaders that deploy\r\nthe group’s signature SlowStepper backdoor on Windows machines.\r\nPlushDaemon profile\r\nPlushDaemon is a China-aligned threat actor active since at least 2018 that engages in espionage operations\r\nagainst individuals and entities in China, Taiwan, Hong Kong, Cambodia, South Korea, the United States, and\r\nNew Zealand. PlushDaemon uses a custom backdoor that we track as SlowStepper, and its main initial access\r\ntechnique is to hijack legitimate updates by redirecting traffic to attacker-controlled servers through a network\r\nimplant that we call EdgeStepper. Additionally, we have observed the group gaining access via vulnerabilities in\r\nweb servers, and in 2023 it performed a supply-chain attack.\r\nOverview\r\nIn 2024, while researching PlushDaemon’s clusters of activity (including the supply-chain compromise of a South\r\nKorean VPN service), we noticed that an ELF file submitted to VirusTotal contained two subdomains from\r\nPlushDaemon’s infrastructure. That file, called bioset, was previously hosted on a server likely compromised by\r\nmultiple threat actors. Note that on the same day of the submission to VirusTotal, a researcher\r\n(@James_inthe_box) tweeted about an open directory on the server where bioset was hosted, so the sample was\r\nprobably uploaded to VirusTotal by a researcher who was investigating the contents of the directory.\r\nInternally named dns_cheat_v2 by its developers – and codenamed EdgeStepper by us – bioset is PlushDaemon’s\r\nadversary-in-the-middle tool, which forwards DNS traffic from machines in a targeted network to a malicious\r\nDNS node. This allows the attackers to redirect the traffic from software updates to a hijacking node that serves\r\ninstructions to the legitimate software to download a malicious update.\r\nVictimology\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/\r\nPage 1 of 10\n\nFigure 1 presents the geographical distribution of victims of PlushDaemon that have been compromised through\r\nmalicious updates, since 2019, according to ESET telemetry.\r\nFigure 1. Geographical distribution of victims\r\nPlushDaemon has compromised individuals and organizations located in the following regions:\r\nUnited States (2019)\r\nTaiwan (2021, 2024)\r\nChina (2021–2024), including a university in Beijing and a Taiwanese company that manufactures\r\nelectronics\r\nHong Kong (2023)\r\nNew Zealand (2023)\r\nCambodia (2025), including a company in the automotive sector and a branch of a Japanese company in\r\nthe manufacturing sector\r\nAdversary-in-the-middle attack overview\r\nFirst, PlushDaemon compromises a network device (for example, a router) to which their target might connect; the\r\ncompromise is probably achieved by exploiting a vulnerability in the software running on the device or through\r\nweak and/or well-known default administrative credentials, enabling the attackers to deploy EdgeStepper (and\r\npossibly other tools).\r\nEdgeStepper begins redirecting DNS queries to a malicious DNS node that verifies whether the domain (for\r\nexample, info.pinyin.sogou.com from Sogou Pinyin) in the DNS query message is related to software updates, and\r\nif so, it replies with the IP address of the hijacking node. Alternatively, we have also observed that some servers\r\nare both the DNS node and the hijacking node; in those cases, the DNS node replies to DNS queries with its own\r\nIP address.\r\nNote that since we have closely studied updates for Sogou Pinyin software being hijacked, we will continue to use\r\nthat as an example from here on out. Many other popular Chinese software titles also have their updates hijacked\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/\r\nPage 2 of 10\n\nin similar ways by PlushDaemon via EdgeStepper.\r\nFigure 2 illustrates the first stages of the deployment of PlushDaemon’s capabilities.\r\nFigure 2. Illustration of the first stages of the attack\r\nThe updating software communicates via HTTP with the hijacking node instead of Sogou’s legitimate\r\ninfrastructure; the hijacking node replies with instructions to, for example, download a DLL file from\r\nhttp://ime.sogou.com/popup_4.2.0.2246.dll, as shown in Figure 3.\r\nFigure 3. Traffic capture of the update hijacking process\r\nThe software sends an HTTP GET request to ime.sogou.com to try to obtain the DLL; however, the\r\ncommunication is again redirected to the hijacking node, which serves popup_4.2.0.2246.dll that, in reality, is the\r\nLittleDaemon DLL. The process is illustrated in Figure 4.\r\nFigure 4. Illustration of the final stage of the update hijacking\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/\r\nPage 3 of 10\n\nFigure 5 shows the hijacking node serving LittleDaemon.\r\nFigure 5. Traffic capture of the update hijacking process\r\nEdgeStepper\r\nAccording to the symbols in the binary, EdgeStepper was originally called dns_cheat_v2. It was developed in Go\r\nusing the open-source GoFrame framework, and compiled as an ELF file for MIPS32 processors. It is important to\r\nnote that it is unlikely that EdgeStepper is the only component deployed on the compromised network device.\r\nUnfortunately, we don’t have samples of other components in the compromise chain.\r\nEdgeStepper begins by obtaining and decrypting configuration data from /etc/bioset.conf. For decryption, it uses\r\nAES CBC with the key and IV being the string I Love Go Frame!, which is used as the default IV in the\r\nimplementation by the GoFrame library.\r\nThe decrypted configuration reveals the data shown in Figure 6.\r\n[cheat]\r\ntoPort = 1090\r\nhost = \"ds20221202.dsc.wcsset[.]com\"\r\nFigure 6. Decrypted configuration\r\nThe meaning of the parameters is as follows:\r\ntoPort specifies the port where EdgeStepper will listen, and\r\nhost specifies the domain that is resolved to obtain the IP address(es) of the DNS node to which the DNS\r\nquery packets are forwarded.\r\nAdditionally, there is a configuration block (Figure 7) in the EdgeStepper binary, which appears to not be\r\nreferenced anywhere in the code. The domain in the host field is test.dsc.wcsset[.]com, which resolved to\r\n47.242.198[.]250. We observed that IP address from 2021 to 2022 as the source of the malicious update: the\r\nhijacking node. At the time of writing, the domain resolves to that IP address.\r\nFigure 7. Unused configuration block in EdgeStepper\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/\r\nPage 4 of 10\n\nAfter loading its configuration, EdgeStepper initializes the Distributor system and the Ruler system.\r\nDistributor\r\nThe distributor resolves the IP address(es) associated with the domain value in the host field of the configuration\r\nand invokes the Ruler system. The workflow of the distributor is illustrated in Figure 8.\r\nFigure 8. EdgeStepper workflow\r\n1. Via the Ruler system, the distributor redirects traffic on port 53 to port 1090, establishing itself as a DNS\r\nproxy.\r\n2. When a DNS message is received from a potential victim’s device, it checks whether the message is RFC\r\ncompliant (probably just to verify that the packet is really from the DNS protocol).\r\n3. Then it forwards the packet to the malicious DNS node.\r\n4. Finally, it forwards the reply from the DNS node to the device.\r\nRuler\r\nThe Ruler system uses the iptables command to issue new rules, and to remove them when concluding the attack.\r\nFirst, it issues a rule to redirect all UDP traffic on port 53 of the device to the port specified by toPort in the\r\nconfiguration:\r\niptables -t nat -I PREROUTING -p udp --dport 53 -j REDIRECT --to-port \u003cvalue_from_toPort\u003e\r\nThen it issues a command to accept the packets on that port:\r\niptables -t filter -I INPUT -p udp --dport \u003cvalue_from_toPort\u003e -j ACCEPT\r\nWhen terminating, it removes the previous rules it set up by issuing the commands:\r\niptables -t nat -D PREROUTING *\r\niptables -t filter -D INPUT -p udp –dport \u003cvalue_from_toPort\u003e -j ACCEPT\r\nLittleDaemon\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/\r\nPage 5 of 10\n\nLittleDaemon is the first stage deployed on the victim’s machine through hijacked updates. We have observed\r\nboth DLL and executable versions, both of them 32-bit PEs. The main purpose of LittleDaemon is to\r\ncommunicate with the hijacking node to obtain the downloader that we call DaemonicLogistics. LittleDaemon\r\ndoes not establish persistence.\r\nFirst, it verifies whether the SlowStepper backdoor is running on the system. If not, LittleDaemon downloads\r\nDaemonicLogistics by issuing an HTTP GET request to a server (typically, the hijacking node), decrypts it with a\r\ncombination of XOR operations, and then executes it.\r\nThe request can be sent to two legitimate domains (ime.sogou.com or mobads.baidu.com) or the IP address\r\n119.136.153.0. The resource path is /update/updateInfo.bzp for all three. In the case of the legitimate domains, it’s\r\nexpected that the traffic will be redirected to the hijacking node by EdgeStepper.\r\nDaemonicLogistics\r\nDaemonicLogistics is position-independent code downloaded and executed in memory by LittleDaemon. Its main\r\npurpose is to download and deploy the SlowStepper implant.\r\nWhen DaemonicLogistics sends a request to the server (typically, the hijacking node), it replies with an HTTP\r\nstatus code, which DaemonicLogistics interprets as a command, and performs the actions listed in Table 1.\r\nTable 1. Commands supported by DaemonicLogistics\r\nCode Action taken\r\n200\r\nDownloads SlowStepper without checking for the presence of a process named 360tray.exe\r\n(a component of the 360 Total Security antimalware solution).\r\n205\r\n206\r\n208\r\n203\r\nDownloads a file named plugin.exe and executes it (during our tests, the server did not request\r\ndownloading this file).\r\n207 Checks for the presence of a process named 360tray.exe and downloads SlowStepper if not present.\r\n202–\r\n300\r\nDefault to execute command 200. These could be unimplemented commands.\r\nThe initial HTTP GET request is sent to:\r\nime.sogou.com/update/latest/new_version?tp=2\u0026c=0\u0026s=\u003cOS_ID_number\u003e\u0026mac=\u003cidentifier\u003e\r\nThe meaning of the parameters in the URL are as follows:\r\nThe values tp and c are hardcoded by default to 2 and 0, respectively.\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/\r\nPage 6 of 10\n\nThe s field is one byte and is a number that identifies the operating system version.\r\nThe mac field is six bytes and is the MAC address value from the machine’s ethernet or Wi-Fi adapter, or\r\nrandomly generated if it fails to obtain any; the value is probably used as an identifier by the server.\r\nDuring our analysis we observed that the server replied with status code 207, to which DaemonicLogistics replied\r\nwith another request to ime.sogou.com/update/latest/new_version?tp=1\u0026g=15\u0026c=0. In this case, the part of the\r\nURL tp=1\u0026g=15\u0026c=0 is hardcoded.\r\nThe server replied with status code 202. DaemonicLogistics proceeded to do two requests to download the\r\nSlowStepper payload files, first to ime.sogou.com/update/file6.bdat, and then to ime.sogou.com/update/file2.bdat.\r\nThe payload data in the first and second responses from the server began with a magic value:\r\nIn response to the first request, the magic value in hex was 50 4B 03 04 0A 1B 2C 3D\r\n(PK\\3\\4\\A\\1B\\2C\\3C):\r\n○ DaemonicLogistics actively checks that the first eight bytes of data received from the server match this\r\nmagic value. If true, it writes the data to\r\n%PROGRAMDATA%\\Tencent\\QQUpdateMgr\\UpdateFiles\\logo.gif.\r\nIn response to the second request, the magic value in hex was 47 49 46 38 39 61 10 10 (GIF89a\\10\\10)\r\n○ DaemonicLogistics does not check this magic value specifically: when the check for the previous magic\r\nvalue does not match, it processes the data and decrypts it using a combination of XOR operations. The\r\ndata contains files that are written to disk on paths specified in the decrypted data..\r\nConclusion\r\nWe analyzed the EdgeStepper network implant that enables PlushDaemon’s adversary-in-the-middle capabilities\r\nto hijack updates from machines in a targeted network. We also analyzed LittleDaemon and DaemonicLogistics\r\ntools that together deploy the SlowStepper implant on Windows machines. These implants give PlushDaemon the\r\ncapability to compromise targets anywhere in the world.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of indicators of compromise and samples can be found in our GitHub repository.\r\nFiles\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/\r\nPage 7 of 10\n\nSHA-1 Filename\r\nESET detection\r\nname\r\nDescription\r\n8F569641691ECB3888CD\r\n4C11932A5B8E13F04B07\r\nbioset Linux/Agent.AEP EdgeStepper.\r\n06177810D61A69F34091\r\nCC9689B813740D4C260F\r\nbioset.conf Win32/Rozena.BXX\r\nEdgeStepper\r\nencrypted\r\nconfiguration.\r\n69974455D8C13C5D57C1\r\nEE91E147FF9AED49AEBC\r\npopup_4.2.0.2246.dll Win32/Agent.AGXK LittleDaemon.\r\n2857BC730952682D39F4\r\n26D185769938E839A125\r\nsogou_wubi_15.4.\r\n0.2508_0000.exe\r\nWin32/Agent.AFDT LittleDaemon.\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n8.212.132[.]120\r\nds20221202.dsc.\r\nwcsset[.]com\r\nAlibaba (US)\r\nTechnology Co., Ltd.\r\n2024‑07‑12\r\nDNS/Hijacking\r\nnode.\r\n47.242.198[.]250 test.dsc.wcsset[.]com Alibaba Cloud LLC 2024‑07‑12\r\nDNS/Hijacking\r\nnode.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 18 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.001\r\nAcquire Infrastructure:\r\nDomains\r\nPlushDaemon uses EdgeStepper to redirect\r\ntraffic to specific subdomains that are part of\r\nPlushDaemon’s infrastructure on\r\nwcsset[.]com.\r\nT1583.002\r\nAcquire Infrastructure:\r\nDNS Server\r\nPart of the PlushDaemon infrastructure is\r\nused to host its malicious DNS nodes.\r\nT1583.004\r\nAcquire Infrastructure:\r\nServer\r\nPlushDaemon has acquired servers to host its\r\nDNS/hijacking nodes and C\u0026C servers.\r\nT1608.001\r\nStage Capabilities: Upload\r\nMalware\r\nPlushDaemon hosts its payloads on\r\nDNS/hijacking servers.\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/\r\nPage 8 of 10\n\nTactic ID Name Description\r\nInitial Access T1659 Content Injection\r\nHijacking nodes from PlushDaemon process\r\nhijacked traffic and reply to legitimate\r\nsoftware with instructions to download\r\nmalware such as LittleDaemon.\r\nExecution T1106 Native API\r\nDaemonicLogistics executes the\r\nSlowStepper implant using the ShellExecute\r\nAPI.\r\nDefense\r\nEvasion\r\nT1070.004\r\nIndicator Removal: File\r\nDeletion\r\nSome variants of LittleDaemon can remove\r\nthemselves.\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\nDaemonicLogistics creates a subdirectory\r\nnamed Tencent, where it stores its files.\r\nT1036.008\r\nMasquerading:\r\nMasquerade File Type\r\nDaemonicLogistics and SlowStepper’s\r\nloader can decrypt files that masquerade as\r\nZIP and GIF files.\r\nT1027.009\r\nObfuscated Files or\r\nInformation: Embedded\r\nPayloads\r\nFiles masquerading as ZIPs and GIF files\r\ncontain embedded encrypted components.\r\nT1027.013\r\nObfuscated Files or\r\nInformation:\r\nEncrypted/Encoded File\r\nComponents of the SlowStepper implant are\r\nencrypted on disk.\r\nDiscovery\r\nT1518.001\r\nSoftware Discovery:\r\nSecurity Software\r\nDiscovery\r\nDaemonicLogistics checks for the presence\r\nof 360tray.exe – a component of 360 Total\r\nSecurity.\r\nT1016\r\nSystem Network\r\nConfiguration Discovery\r\nDaemonicLogistics attempts to obtain the\r\nethernet or Wi-Fi adapter’s MAC address.\r\nT1057 Process Discovery DaemonicLogistics lists processes.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nLittleDaemon and DaemonicLogistics use\r\nHTTP to communicate with their server.\r\nT1573 Encrypted Channel\r\nLittleDaemon downloads via HTTP the\r\nencrypted DaemonicLogistics that\r\ndownloads via HTTP the encrypted\r\nSlowStepper implant.\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/\r\nPage 9 of 10\n\nTactic ID Name Description\r\nT1665 Hide Infrastructure\r\nLittleDaemon and DaemonicLogistics make\r\ndownloads by sending HTTP requests to\r\nlegitimate domains.\r\nSource: https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/" ], "report_names": [ "plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks" ], "threat_actors": [ { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4f7a1404-3aa3-4f27-bced-473c16a4b65c", "created_at": "2025-02-23T02:03:22.518463Z", "updated_at": "2026-04-10T02:00:04.855713Z", "deleted_at": null, "main_name": "PlushDaemon", "aliases": [], "source_name": "ETDA:PlushDaemon", "tools": [ "SlowStepper" ], "source_id": "ETDA", "reports": null }, { "id": "a0c10b65-a8bb-473b-85b0-6bacc97ecbd8", "created_at": "2025-03-07T02:00:03.794198Z", "updated_at": "2026-04-10T02:00:03.819825Z", "deleted_at": null, "main_name": "PlushDaemon", "aliases": [], "source_name": "MISPGALAXY:PlushDaemon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434798, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9bebbcc0ca9ea9c5f9cc3bedc4e80df11b0df574.pdf", "text": "https://archive.orkl.eu/9bebbcc0ca9ea9c5f9cc3bedc4e80df11b0df574.txt", "img": "https://archive.orkl.eu/9bebbcc0ca9ea9c5f9cc3bedc4e80df11b0df574.jpg" } }