Find notable cyber news and cases, enriched with sources, timelines, and signals.

PlushDaemon EdgeStepper AitM backdoor activity

Malware Activity
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

PlushDaemon's EdgeStepper backdoor is being used to reroute DNS queries and support adversary-in-the-middle (AitM) attacks, increasing the risk that software updates are delivered from attacker-controlled infrastructure. The activity affects software-update traffic and has been tied to hijacking update channels for programs such as Sogou Pinyin. EdgeStepper can help deliver a malicious DLL and bootstrap additional payloads, including LittleDaemon, DaemonicLogistics, and SlowStepper. The behavior broadens the threat from network tampering to downstream credential theft and data collection.

Related Happenings

SPECTRALVIPER DLL sideloading backdoor activity

Malware Activity
H score31 First: 11.06.2026 12:45 Last: 11.06.2026 12:45 Sources 1

About this happening: The **SPECTRALVIPER** backdoor was executed on affected **Windows** hosts through a **DLL sideloading** chain during **October 2025 to March 2026**, giving operators a way to run...

DKnife Linux AitM malware activity targeting routers and edge devices

Malware Activity
H score30 First: 06.02.2026 16:56 Last: 06.02.2026 16:56 Sources 1

About this happening: Researchers disclosed **DKnife**, a **China-nexus AitM framework** active since **at least 2019**, because it can **inspect packets, hijack downloads, and deliver malware** across...

PlushDaemon dns_cheat_v2 AitM implant

Malware Activity
H score27 First: 19.11.2025 14:00 Last: 19.11.2025 14:00 Sources 1

About this happening: **PlushDaemon** is now known to operate **dns_cheat_v2**, an undocumented **AitM implant** that can reroute DNS traffic and help deliver malicious software updates into targeted n...

PlushDaemon global espionage campaign

Campaign
H score35 First: 19.11.2025 14:00 Last: 19.11.2025 14:00 Sources 1

About this happening: **PlushDaemon** is running a long-lived **global espionage campaign** that targets organizations across **multiple countries**, increasing the risk of cross-border compromise and...

EdgeStepper-LittleDaemon-SlowStepper software-update malware delivery chain

Malware Activity
H score23 First: 19.11.2025 12:00 Last: 19.11.2025 12:00 Sources 1

About this happening: The **EdgeStepper** malware chain is **hijacking software-update traffic** to deliver **LittleDaemon** on **Windows**, creating a path to deploy **SlowStepper** on targeted system...

Timeline

  1. 19.11.2025 12:00 2 articles · 7mo ago

    PlushDaemon EdgeStepper AitM backdoor disclosure

    Initial Disclosure

    ESET disclosed that PlushDaemon is using the previously undocumented Go-based network backdoor EdgeStepper to reroute DNS queries from software-update traffic to attacker-controlled infrastructure, enabling adversary-in-the-middle interception and delivery of malicious payloads against affected organizations. The reported chain uses a malicious DNS node associated with test.dsc.wcsset[.]com, configures iptables-based packet filtering, delivers the popup_4.2.0.2246.dll malware also known as LittleDaemon, and can bootstrap DaemonicLogistics to download and run the SlowStepper backdoor.

    Show sources