Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
4 malware families

PlushDaemon

Also known asPlushDaemon

PlushDaemon is a China-aligned advanced persistent threat (APT) group engaged in espionage operations and active since at least 2018. Reporting attributes the group as Beijing-aligned and links it to targets in China, Hong Kong, Taiwan, Cambodia, South Korea, New Zealand, and the United States, including organizations and individuals. PlushDaemon is known for adversary-in-the-middle (AitM) operations that hijack legitimate software update traffic. Its primary technique involves compromising network devices such as routers and gateways, then deploying a Go-based network implant called EdgeStepper to redirect DNS queries to attacker-controlled nodes. This allows the group to reroute traffic from legitimate software-update infrastructure and deliver malicious payloads. ESET reporting states PlushDaemon used this technique to hijack updates for software including Sogou Pinyin, and that the same AitM method has also been used for lateral movement inside networks. The group’s malware ecosystem includes EdgeStepper, the SlowStepper backdoor, and the downloaders LittleDaemon and DaemonicLogistics. EdgeStepper is used to intercept update traffic and serve malicious packages; LittleDaemon and DaemonicLogistics are used to deploy SlowStepper on Windows systems. Content also links PlushDaemon to a supply-chain attack targeting a South Korean VPN provider in 2023/2024, and notes the group has also exploited web server vulnerabilities. Known aliases directly provided in the content are limited to PlushDaemon.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

22 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics34 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
1 technique
T1584
Compromise Infrastructure
T1584.008
Network Devices
TA0001
Initial Access
3 techniques
T1078×3
Valid Accounts
T1190×3
Exploit Public-Facing Application
T1195×4
Supply Chain Compromise
T1195.002
Compromise Software Supply Chain
TA0002
Execution
2 techniques
T1059
Command and Scripting Interpreter
T1574
Hijack Execution Flow
T1574.001×2
DLL
TA0003
Persistence
1 technique
T1078×3
Valid Accounts
TA0004
Privilege Escalation
1 technique
T1078×3
Valid Accounts
TA0005
Stealth
4 techniques
T1036
Masquerading
T1078×3
Valid Accounts
T1140
Deobfuscate/Decode Files or Information
T1574
Hijack Execution Flow
T1574.001×2
DLL
TA0006
Credential Access
4 techniques
T1056
Input Capture
T1056.001
Keylogging
T1539
Steal Web Session Cookie
T1555×2
Credentials from Password Stores
T1557×5
Adversary-in-the-Middle
TA0007
Discovery
2 techniques
T1082×2
System Information Discovery
T1083×2
File and Directory Discovery
TA0009
Collection
6 techniques
T1005
Data from Local System
T1056
Input Capture
T1056.001
Keylogging
T1123
Audio Capture
T1125
Video Capture
T1213
Data from Information Repositories
T1557×5
Adversary-in-the-Middle
TA0011
Command and Control
2 techniques
T1090
Proxy
T1105×3
Ingress Tool Transfer
TA0040
Impact
1 technique
T1565
Data Manipulation
T1565.001×5
Stored Data Manipulation
ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
EdgeStepperESET said the PlushDaemon APT group is behind the “EdgeStepper” network implant that hijacks DNS traffic and sends it to malicious nodes controlled by the threat actors.5Mar 18, 2026
SlowStepperIf one such software update request is found EdgeStepper will redirect it to PlushDaemon's infrastructure, resulting in the download of a trojanized update. The attacks lead to the deployment of SlowStepper.4Mar 18, 2026
LittleDaemon“…PlushDaemon that leveraged the same technique to distribute a custom downloader called LittleDaemon.”3Mar 18, 2026
DaemonicLogistics"We provide an analysis of LittleDaemon and DaemonicLogistics, two downloaders that deploy the group’s signature SlowStepper backdoor on Windows machines."1Mar 8, 2026
ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Actor using EdgeStepper implant to reroute DNS and hijack software update traffic for adversary-in-the-middle delivery of malware.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

China-aligned APT conducting a supply-chain compromise of a South Korean VPN provider by trojanizing an installer to deploy the SlowStepper implant.

Read more
huntio blogNews
Nov 26, 2025
SIGNALS WEEKLY: Wormed Repos, Multi-Vector APTs, KEV Identity RCE

PlushDaemon implants routers and network devices with EdgeStepper malware to hijack DNS, intercept update traffic, and deploy multi-stage backdoors for espionage.

Read more
risky biz rssNews
Nov 25, 2025
Risky Bulletin: Sha1-Hulud npm worm returns, with destructive behavior

PlushDaemon is a Chinese APT group hijacking software update traffic and deploying the EdgeStepper implant on networking devices.

Read more
+11 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping22

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.