EdgeStepper-LittleDaemon-SlowStepper software-update malware delivery chain
Malware Activity
Summary
Hide ▲
Show ▼
The EdgeStepper malware chain is hijacking software-update traffic to deliver LittleDaemon on Windows, creating a path to deploy SlowStepper on targeted systems. The operation uses compromised routers and malicious DNS redirection to steer update requests to attacker infrastructure. That behavior increases the risk of covert malware installation during routine updates.
Related Happenings
ShapedPlugin LicenseLoader fake WooCommerce backdoor
Malware Activity
H score21
First: 18.06.2026 15:55
Last: 18.06.2026 15:55
Sources 1
About this happening:
The **LicenseLoader.php** malware embedded in infected ShapedPlugin releases now enables **credential theft**, **2FA secret theft**, and **remote file-writing** on compromised Wor...
ShapedPlugin LicenseLoader fake WooCommerce backdoor
Malware ActivityAbout this happening: The **LicenseLoader.php** malware embedded in infected ShapedPlugin releases now enables **credential theft**, **2FA secret theft**, and **remote file-writing** on compromised Wor...
SPECTRALVIPER DLL sideloading backdoor activity
Malware Activity
H score31
First: 11.06.2026 12:45
Last: 11.06.2026 12:45
Sources 1
About this happening:
The **SPECTRALVIPER** backdoor was executed on affected **Windows** hosts through a **DLL sideloading** chain during **October 2025 to March 2026**, giving operators a way to run...
SPECTRALVIPER DLL sideloading backdoor activity
Malware ActivityAbout this happening: The **SPECTRALVIPER** backdoor was executed on affected **Windows** hosts through a **DLL sideloading** chain during **October 2025 to March 2026**, giving operators a way to run...
Dragon Boss Solutions LLC adware malicious update
Malware Activity
H score26
First: 16.04.2026 22:07
Last: 16.04.2026 22:07
Sources 1
About this happening:
A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...
Dragon Boss Solutions LLC adware malicious update
Malware ActivityAbout this happening: A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...
DKnife Linux AitM malware activity targeting routers and edge devices
Malware Activity
H score30
First: 06.02.2026 16:56
Last: 06.02.2026 16:56
Sources 1
About this happening:
Researchers disclosed **DKnife**, a **China-nexus AitM framework** active since **at least 2019**, because it can **inspect packets, hijack downloads, and deliver malware** across...
DKnife Linux AitM malware activity targeting routers and edge devices
Malware ActivityAbout this happening: Researchers disclosed **DKnife**, a **China-nexus AitM framework** active since **at least 2019**, because it can **inspect packets, hijack downloads, and deliver malware** across...
UDPGangster backdoor deployed by MuddyWater
Malware Activity
H score22
First: 08.12.2025 08:46
Last: 08.12.2025 08:46
Sources 1
About this happening:
The **MuddyWater** group has deployed **UDPGangster**, a new backdoor that uses **UDP C2** to control compromised systems and expand post-compromise access. The malware can **exec...
UDPGangster backdoor deployed by MuddyWater
Malware ActivityAbout this happening: The **MuddyWater** group has deployed **UDPGangster**, a new backdoor that uses **UDP C2** to control compromised systems and expand post-compromise access. The malware can **exec...
Timeline
-
19.11.2025 12:00 2 articles · 7mo ago
PlushDaemon EdgeStepper software-update hijacking
Initial DisclosurePlushDaemon is hijacking software-update traffic by compromising routers, installing EdgeStepper, and redirecting DNS queries for update domains to malicious infrastructure so Windows victims receive the DLL downloader LittleDaemon, which loads DaemonicLogistics and then SlowStepper. The campaign has targeted individuals and organizations in the United States, China, Taiwan, Hong Kong, South Korea, and New Zealand, and telemetry indicates malicious-update abuse since 2019 against electronics manufacturers, universities, and a Japanese automotive manufacturing plant in Cambodia.
Show sources
- ‘PlushDaemon’ hackers hijack software updates in supply-chain attacks — www.bleepingcomputer.com — 19.11.2025 12:00
- ‘PlushDaemon’ hackers hijack software updates in supply-chain attacks — www.bleepingcomputer.com — 19.11.2025 12:00