MalwareUsed by 1 actor

EdgeStepper

EdgeStepper is a previously undocumented Go-based network implant/backdoor used by the China-aligned espionage group PlushDaemon to conduct adversary-in-the-middle attacks by hijacking DNS traffic on compromised network devices, especially routers and other edge devices. It is compiled as an ELF binary for MIPS32 systems and has also been referred to internally by its developers as dns_cheat_v2 based on symbols found in the binary. Once installed, EdgeStepper redirects all DNS queries, including via iptables redirection of UDP/53 traffic, to attacker-controlled malicious DNS or hijacking nodes, rerouting legitimate software-update traffic to PlushDaemon infrastructure. It monitors for requests associated with popular Chinese software products, including Sogou Pinyin, and if matching update traffic is observed, it causes victims to download trojanized updates.

EdgeStepper is used as part of a multi-stage intrusion chain. Hijacked update traffic is used to deliver the LittleDaemon and DaemonicLogistics downloaders, which in turn deploy the custom Windows backdoor SlowStepper. Reported behavior includes use of AES-CBC with a hardcoded key and IV to decrypt configuration data. Malware components in the broader chain are obfuscated and encrypted, sometimes masquerading as ZIP or GIF files, and DaemonicLogistics may store files in directories named after legitimate software vendors. Some LittleDaemon variants can remove themselves to reduce detection.

PlushDaemon has been active since at least 2018 and has targeted victims in China, Hong Kong, Taiwan, Cambodia, South Korea, New Zealand, and the United States, including universities and manufacturing companies. Reported victim access commonly begins with compromise of routers or network devices through known vulnerabilities or weak/default administrative passwords; PlushDaemon has also been reported exploiting web server vulnerabilities. The campaign is associated with cyberespionage and software-update hijacking, including a reported supply-chain attack against a South Korean VPN software provider. Mentioned attacker infrastructure includes Alibaba Cloud-hosted domains such as ds20221202.dsc.wcsset[.]com and test.dsc.wcsset[.]com. Reported detections include Linux/Agent.AEP, Win32/Rozena.BXX, Win32/Agent.AGXK, and Win32/Agent.AFDT.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

PlushDaemon

ESET said the PlushDaemon APT group is behind the “EdgeStepper” network implant that hijacks DNS traffic and sends it to malicious nodes controlled by the threat actors.

via register securitygo.theregister.com

MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1584.008Network DevicesEvidence1

The attack essentially commences with the threat actor compromising an edge network device (e.g., a router) that its target is likely to connect to.

Initial Access

3 techniques

T1078Valid AccountsEvidence3

This is accomplished by either exploiting a security flaw in the software or through weak credentials, allowing them to deploy caEdgeStepper.

T1190Exploit Public-Facing ApplicationEvidence3

The attackers gain access to routers by exploiting known vulnerabilities or weak admin passwords, install the EdgeStepper implant, and then redirect software-update traffic to their own infrastructure.

T1195Supply Chain CompromiseEvidence1

Telemetry data from cybersecurity firm ESET indicates that since 2019, the threat actor has relied on malicious updates to breach target networks.

Execution

1 technique

T1574.001DLLEvidence1

The attack specifically checks for several Chinese software, including Sogou Pinyin, to have their update channels hijacked by means of EdgeStepper to deliver a malicious DLL ("popup_4.2.0.2246.dll" aka LittleDaemon) from a threat actor-controlled server.

Persistence

1 technique

T1078Valid AccountsEvidence3

This is accomplished by either exploiting a security flaw in the software or through weak credentials, allowing them to deploy caEdgeStepper.

Privilege Escalation

1 technique

T1078Valid AccountsEvidence3

This is accomplished by either exploiting a security flaw in the software or through weak credentials, allowing them to deploy caEdgeStepper.

Stealth

2 techniques

T1078Valid AccountsEvidence3

This is accomplished by either exploiting a security flaw in the software or through weak credentials, allowing them to deploy caEdgeStepper.

T1574.001DLLEvidence1

Credential Access

1 technique

T1557Adversary-in-the-MiddleEvidence4

The Adversary-in-the-Middle (AitM) attack proceeds with the proxy detecting a DNS query for a domain associated with software updates. When such queries come, it responds with the IP of the attacker-controlled server instead of the legitimate one.

Collection

1 technique

T1557Adversary-in-the-MiddleEvidence4

Command and Control

1 technique

T1090ProxyEvidence1

Once installed, EdgeStepper configures “iptables” rules on the device to redirect all UDP traffic on port 53 (DNS) to a local proxy (port 1090 by default), which forwards the queries to a malicious DNS node.

Impact

1 technique

T1565.001Stored Data ManipulationEvidence5

A router implant is redirecting DNS traffic to attacker-controlled infrastructure, turning trusted update channels into delivery paths for the espionage backdoor.

ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Go-based network backdoor used for AitM by redirecting DNS queries to malicious nodes to hijack software update traffic and deliver malware.

huntio blogNews

Nov 26, 2025

SIGNALS WEEKLY: Wormed Repos, Multi-Vector APTs, KEV Identity RCE

A backdoor component deployed by PlushDaemon on network devices to hijack DNS and facilitate further espionage operations.

the hacker newsNews

Nov 24, 2025

⚡ Weekly Recap: Fortinet Exploit, Chrome 0-Day, BadIIS Malware, Record DDoS, SaaS Breach & More

EdgeStepper is a Go-based network backdoor used to intercept and redirect software update requests, enabling adversary-in-the-middle attacks and the deployment of additional malware.

Nov 23, 2025

Weaponized file name flaw makes updating glob an urgent job

A network implant used by Chinese-aligned threat actors to hijack DNS traffic and redirect it to attacker-controlled nodes. It monitors network traffic and, when it detects connections to software-update-related domains, it intercepts the traffic and delivers malicious update packages to further infect systems on the compromised network.

+10 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.