Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

EdgeStepper-LittleDaemon-SlowStepper software-update malware delivery chain

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

The EdgeStepper malware chain is hijacking software-update traffic to deliver LittleDaemon on Windows, creating a path to deploy SlowStepper on targeted systems. The operation uses compromised routers and malicious DNS redirection to steer update requests to attacker infrastructure. That behavior increases the risk of covert malware installation during routine updates.

Related Happenings

Dragon Boss Solutions LLC adware malicious update

Malware Activity
First: 16.04.2026 22:07 Last: 16.04.2026 22:07 Sources 1

About this happening: A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...

Open Happening

DKnife Linux AitM malware activity targeting routers and edge devices

Malware Activity
First: 06.02.2026 16:56 Last: 06.02.2026 16:56 Sources 1

About this happening: Researchers disclosed **DKnife**, a **China-nexus AitM framework** active since **at least 2019**, because it can **inspect packets, hijack downloads, and deliver malware** across...

Open Happening

UDPGangster backdoor deployed by MuddyWater

Malware Activity
First: 08.12.2025 08:46 Last: 08.12.2025 08:46 Sources 1

About this happening: The **MuddyWater** group has deployed **UDPGangster**, a new backdoor that uses **UDP C2** to control compromised systems and expand post-compromise access. The malware can **exec...

Open Happening

PlushDaemon dns_cheat_v2 AitM implant

Malware Activity
First: 19.11.2025 14:00 Last: 19.11.2025 14:00 Sources 1

About this happening: **PlushDaemon** is now known to operate **dns_cheat_v2**, an undocumented **AitM implant** that can reroute DNS traffic and help deliver malicious software updates into targeted n...

Open Happening

PlushDaemon global espionage campaign

Campaign
First: 19.11.2025 14:00 Last: 19.11.2025 14:00 Sources 1

About this happening: **PlushDaemon** is running a long-lived **global espionage campaign** that targets organizations across **multiple countries**, increasing the risk of cross-border compromise and...

Open Happening

Timeline

  1. 19.11.2025 12:00 2 articles · 6mo ago

    PlushDaemon EdgeStepper software-update hijacking

    Initial Disclosure

    PlushDaemon is hijacking software-update traffic by compromising routers, installing EdgeStepper, and redirecting DNS queries for update domains to malicious infrastructure so Windows victims receive the DLL downloader LittleDaemon, which loads DaemonicLogistics and then SlowStepper. The campaign has targeted individuals and organizations in the United States, China, Taiwan, Hong Kong, South Korea, and New Zealand, and telemetry indicates malicious-update abuse since 2019 against electronics manufacturers, universities, and a Japanese automotive manufacturing plant in Cambodia.

    Show sources
    Open in new tab