Article Details

‘PlushDaemon’ hackers hijack software updates in supply-chain attacks. A China-linked threat actor tracked as 'PlushDaemon' is hijacking software update traffic using a new implant called EdgeStepper in cyberespionage operations. Since 2018, PlushDaemon hackers targeted individuals and organizations in the United States, China, Taiwan, Hong Kong, South Korea, and New Zealand with custom malware, such as the SlowStepper backdoor. PlushDaemon has compromised electronics manufacturers, universities, and a Japanese automotive manufacturing plant in Cambodia. Telemetry data from cybersecurity firm ESET indicates that since 2019, the threat actor has relied on malicious updates to breach target networks. Attack chain The attackers gain access to routers by exploiting known vulnerabilities or weak admin passwords, install the EdgeStepper implant, and then redirect software-update traffic to their own infrastructure. EdgeStepper works by intercepting DNS queries and redirecting them to a malicious DNS node after confirming that the domain is employed for delivering software updates, ESET researchers explain in a report shared with BleepingComputer. When a victim tries to update their software, they receive the LittleDaemon malware downloader for Windows disguised as a DLL file named ‘popup_4.2.0.2246.dll.’ LittleDaemon fetches another malware dropper named DaemonicLogistics, decrypted and executed in memory, that retrieves PlushDaemon's signature backdoor, SlowStepper. The backdoor has been previously documented in attacks against users of the South Korean VPN product IPany. During those attacks, users downloaded a trojanized installer from the vendor’s official website. The SlowStepper malware lets hackers collect detailed system information, run extensive file operations, execute commands and various Python-based spyware tools that can steal data from the browser, intercept keys, and collect credentials. Defending To protect against these attacks, keep routers and network device firmware up to date, use strong admin passwords, and disable remote access panels if not needed. This should block attempts to install implants like the EdgeStepper. Even when a router is compromised, using DNS over HTTPS (DoH) or DNS over TLS (DoT) can provide protection, as the attackers wouldn’t be able to decipher when the victim makes software update requests. Finally, using software that cryptographically verifies update packages is key, as digital signatures are invalidated in trojanized update packages. The 2026 CISO Budget Benchmark It's budget season! Over 300 CISOs and security leaders have shared how they're planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026. Learn how top leaders are turning investment into measurable impact.