PlushDaemon EdgeStepper AitM backdoor activity
Malware Activity
Summary
Hide ▲
Show ▼
PlushDaemon's EdgeStepper backdoor is being used to reroute DNS queries and support adversary-in-the-middle (AitM) attacks, increasing the risk that software updates are delivered from attacker-controlled infrastructure. The activity affects software-update traffic and has been tied to hijacking update channels for programs such as Sogou Pinyin. EdgeStepper can help deliver a malicious DLL and bootstrap additional payloads, including LittleDaemon, DaemonicLogistics, and SlowStepper. The behavior broadens the threat from network tampering to downstream credential theft and data collection.
Related Happenings
DKnife Linux AitM malware activity targeting routers and edge devices
Malware Activity
First: 06.02.2026 16:56
Last: 06.02.2026 16:56
Sources 1
About this happening:
Researchers disclosed **DKnife**, a **China-nexus AitM framework** active since **at least 2019**, because it can **inspect packets, hijack downloads, and deliver malware** across...
DKnife Linux AitM malware activity targeting routers and edge devices
Malware ActivityAbout this happening: Researchers disclosed **DKnife**, a **China-nexus AitM framework** active since **at least 2019**, because it can **inspect packets, hijack downloads, and deliver malware** across...
PlushDaemon dns_cheat_v2 AitM implant
Malware Activity
First: 19.11.2025 14:00
Last: 19.11.2025 14:00
Sources 1
About this happening:
**PlushDaemon** is now known to operate **dns_cheat_v2**, an undocumented **AitM implant** that can reroute DNS traffic and help deliver malicious software updates into targeted n...
PlushDaemon dns_cheat_v2 AitM implant
Malware ActivityAbout this happening: **PlushDaemon** is now known to operate **dns_cheat_v2**, an undocumented **AitM implant** that can reroute DNS traffic and help deliver malicious software updates into targeted n...
PlushDaemon global espionage campaign
Campaign
First: 19.11.2025 14:00
Last: 19.11.2025 14:00
Sources 1
About this happening:
**PlushDaemon** is running a long-lived **global espionage campaign** that targets organizations across **multiple countries**, increasing the risk of cross-border compromise and...
PlushDaemon global espionage campaign
CampaignAbout this happening: **PlushDaemon** is running a long-lived **global espionage campaign** that targets organizations across **multiple countries**, increasing the risk of cross-border compromise and...
EdgeStepper-LittleDaemon-SlowStepper software-update malware delivery chain
Malware Activity
First: 19.11.2025 12:00
Last: 19.11.2025 12:00
Sources 1
About this happening:
The **EdgeStepper** malware chain is **hijacking software-update traffic** to deliver **LittleDaemon** on **Windows**, creating a path to deploy **SlowStepper** on targeted system...
EdgeStepper-LittleDaemon-SlowStepper software-update malware delivery chain
Malware ActivityAbout this happening: The **EdgeStepper** malware chain is **hijacking software-update traffic** to deliver **LittleDaemon** on **Windows**, creating a path to deploy **SlowStepper** on targeted system...
PlushDaemon software update hijacking campaign
Campaign
First: 19.11.2025 12:00
Last: 19.11.2025 12:00
Sources 1
About this happening:
**PlushDaemon** is actively **hijacking software update traffic** in a **cyberespionage campaign**, expanding the risk of supply-chain style access across **multiple countries**....
PlushDaemon software update hijacking campaign
CampaignAbout this happening: **PlushDaemon** is actively **hijacking software update traffic** in a **cyberespionage campaign**, expanding the risk of supply-chain style access across **multiple countries**....
Timeline
-
19.11.2025 12:00 2 articles · 6mo ago
PlushDaemon EdgeStepper AitM backdoor disclosure
Initial DisclosureESET disclosed that PlushDaemon is using the previously undocumented Go-based network backdoor EdgeStepper to reroute DNS queries from software-update traffic to attacker-controlled infrastructure, enabling adversary-in-the-middle interception and delivery of malicious payloads against affected organizations. The reported chain uses a malicious DNS node associated with test.dsc.wcsset[.]com, configures iptables-based packet filtering, delivers the popup_4.2.0.2246.dll malware also known as LittleDaemon, and can bootstrap DaemonicLogistics to download and run the SlowStepper backdoor.
Show sources
- EdgeStepper Implant Reroutes DNS Queries to Deploy Malware via Hijacked Software Updates — thehackernews.com — 19.11.2025 12:00
- EdgeStepper Implant Reroutes DNS Queries to Deploy Malware via Hijacked Software Updates — thehackernews.com — 19.11.2025 12:00