ESET researchers have discovered a network implant used by the China-aligned PlushDaemon APT group to perform adversary-in-the-middle attacks.
You can read more here: https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/
Ensar Seker, CISO at SOCRadar, commented:
“The attack outlined in recent reports marks a deeply concerning evolution in supply chain and update‑mechanism compromise. PlushDaemon is exploiting edge network devices, routers and similar infrastructure, via implants such as EdgeStepper to intercept DNS queries and redirect software‑update traffic toward attacker‑controlled infrastructure. By hijacking a trusted software‑update channel, the group manages to deliver custom downloaders (e.g., LittleDaemon, DaemonicLogistics) and ultimately the SlowStepper backdoor toolkit without triggering the usual defenses around malicious attachments or phishing.
“What makes this campaign particularly dangerous is two‑fold. First, the compromise occurs at the network infrastructure layer rather than the endpoint meaning it bypasses most EDRs, user‑based filters, and conventional supply‑chain checks.
Second, the software update system is treated as a trusted delivery mechanism, making detection and attribution extremely difficult. The attacker doesn’t need to persuade a user to click a link or open a file; they simply hijack the trust in the update process itself. This underscores how sophisticated adversaries are blending network compromise with supply chain tradecraft.
“For security teams, the implications are clear: controlling and monitoring just the “software packages” is no longer enough. Organizations must treat the update infrastructure, DNS routing paths, device firmware/routers, and trust chains as part of their threat surface. I ‘d recommend organizations map out their trusted update hierarchies, enforce signed updates end‑to‑end, monitor outbound DNS resolution patterns for anomalies (especially from network devices), and segment update‐delivery systems from general user infrastructure. The fact that PlushDaemon is operating across multiple sectors, including universities, manufacturing, automotive and regions U.S., Taiwan, New Zealand, South Korea means that no industry can consider itself immune.”
I have to admit that this is the most interesting man in the middle attack that I have seen. And it’s concerning as it requires zero user interaction. On top of that it happens further up the attack chain. That should put defenders on alert as this would be difficult to defend against.
Like this:
Like Loading...
Related
This entry was posted on November 19, 2025 at 2:06 pm and is filed under Commentary with tags ESET. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
PlushDaemon Compromises Network Devices for Adversary-in-the-Middle Attacks
ESET researchers have discovered a network implant used by the China-aligned PlushDaemon APT group to perform adversary-in-the-middle attacks.
You can read more here: https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/
Ensar Seker, CISO at SOCRadar, commented:
“The attack outlined in recent reports marks a deeply concerning evolution in supply chain and update‑mechanism compromise. PlushDaemon is exploiting edge network devices, routers and similar infrastructure, via implants such as EdgeStepper to intercept DNS queries and redirect software‑update traffic toward attacker‑controlled infrastructure. By hijacking a trusted software‑update channel, the group manages to deliver custom downloaders (e.g., LittleDaemon, DaemonicLogistics) and ultimately the SlowStepper backdoor toolkit without triggering the usual defenses around malicious attachments or phishing.
“What makes this campaign particularly dangerous is two‑fold. First, the compromise occurs at the network infrastructure layer rather than the endpoint meaning it bypasses most EDRs, user‑based filters, and conventional supply‑chain checks.
Second, the software update system is treated as a trusted delivery mechanism, making detection and attribution extremely difficult. The attacker doesn’t need to persuade a user to click a link or open a file; they simply hijack the trust in the update process itself. This underscores how sophisticated adversaries are blending network compromise with supply chain tradecraft.
“For security teams, the implications are clear: controlling and monitoring just the “software packages” is no longer enough. Organizations must treat the update infrastructure, DNS routing paths, device firmware/routers, and trust chains as part of their threat surface. I ‘d recommend organizations map out their trusted update hierarchies, enforce signed updates end‑to‑end, monitor outbound DNS resolution patterns for anomalies (especially from network devices), and segment update‐delivery systems from general user infrastructure. The fact that PlushDaemon is operating across multiple sectors, including universities, manufacturing, automotive and regions U.S., Taiwan, New Zealand, South Korea means that no industry can consider itself immune.”
I have to admit that this is the most interesting man in the middle attack that I have seen. And it’s concerning as it requires zero user interaction. On top of that it happens further up the attack chain. That should put defenders on alert as this would be difficult to defend against.
Share this:
Like this:
Related
This entry was posted on November 19, 2025 at 2:06 pm and is filed under Commentary with tags ESET. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.