PlushDaemon EdgeStepper AitM backdoor activity
Malware Activity
Summary
Hide ▲
Show ▼
PlushDaemon's EdgeStepper backdoor is being used to reroute DNS queries and support adversary-in-the-middle (AitM) attacks, increasing the risk that software updates are delivered from attacker-controlled infrastructure. The activity affects software-update traffic and has been tied to hijacking update channels for programs such as Sogou Pinyin. EdgeStepper can help deliver a malicious DLL and bootstrap additional payloads, including LittleDaemon, DaemonicLogistics, and SlowStepper. The behavior broadens the threat from network tampering to downstream credential theft and data collection.
Related Happenings
SPECTRALVIPER DLL sideloading backdoor activity
Malware Activity
H score31
First: 11.06.2026 12:45
Last: 11.06.2026 12:45
Sources 1
About this happening:
The **SPECTRALVIPER** backdoor was executed on affected **Windows** hosts through a **DLL sideloading** chain during **October 2025 to March 2026**, giving operators a way to run...
SPECTRALVIPER DLL sideloading backdoor activity
Malware ActivityAbout this happening: The **SPECTRALVIPER** backdoor was executed on affected **Windows** hosts through a **DLL sideloading** chain during **October 2025 to March 2026**, giving operators a way to run...
DKnife Linux AitM malware activity targeting routers and edge devices
Malware Activity
H score30
First: 06.02.2026 16:56
Last: 06.02.2026 16:56
Sources 1
About this happening:
Researchers disclosed **DKnife**, a **China-nexus AitM framework** active since **at least 2019**, because it can **inspect packets, hijack downloads, and deliver malware** across...
DKnife Linux AitM malware activity targeting routers and edge devices
Malware ActivityAbout this happening: Researchers disclosed **DKnife**, a **China-nexus AitM framework** active since **at least 2019**, because it can **inspect packets, hijack downloads, and deliver malware** across...
PlushDaemon dns_cheat_v2 AitM implant
Malware Activity
H score27
First: 19.11.2025 14:00
Last: 19.11.2025 14:00
Sources 1
About this happening:
**PlushDaemon** is now known to operate **dns_cheat_v2**, an undocumented **AitM implant** that can reroute DNS traffic and help deliver malicious software updates into targeted n...
PlushDaemon dns_cheat_v2 AitM implant
Malware ActivityAbout this happening: **PlushDaemon** is now known to operate **dns_cheat_v2**, an undocumented **AitM implant** that can reroute DNS traffic and help deliver malicious software updates into targeted n...
PlushDaemon global espionage campaign
Campaign
H score35
First: 19.11.2025 14:00
Last: 19.11.2025 14:00
Sources 1
About this happening:
**PlushDaemon** is running a long-lived **global espionage campaign** that targets organizations across **multiple countries**, increasing the risk of cross-border compromise and...
PlushDaemon global espionage campaign
CampaignAbout this happening: **PlushDaemon** is running a long-lived **global espionage campaign** that targets organizations across **multiple countries**, increasing the risk of cross-border compromise and...
EdgeStepper-LittleDaemon-SlowStepper software-update malware delivery chain
Malware Activity
H score23
First: 19.11.2025 12:00
Last: 19.11.2025 12:00
Sources 1
About this happening:
The **EdgeStepper** malware chain is **hijacking software-update traffic** to deliver **LittleDaemon** on **Windows**, creating a path to deploy **SlowStepper** on targeted system...
EdgeStepper-LittleDaemon-SlowStepper software-update malware delivery chain
Malware ActivityAbout this happening: The **EdgeStepper** malware chain is **hijacking software-update traffic** to deliver **LittleDaemon** on **Windows**, creating a path to deploy **SlowStepper** on targeted system...
Timeline
-
19.11.2025 12:00 2 articles · 7mo ago
PlushDaemon EdgeStepper AitM backdoor disclosure
Initial DisclosureESET disclosed that PlushDaemon is using the previously undocumented Go-based network backdoor EdgeStepper to reroute DNS queries from software-update traffic to attacker-controlled infrastructure, enabling adversary-in-the-middle interception and delivery of malicious payloads against affected organizations. The reported chain uses a malicious DNS node associated with test.dsc.wcsset[.]com, configures iptables-based packet filtering, delivers the popup_4.2.0.2246.dll malware also known as LittleDaemon, and can bootstrap DaemonicLogistics to download and run the SlowStepper backdoor.
Show sources
- EdgeStepper Implant Reroutes DNS Queries to Deploy Malware via Hijacked Software Updates — thehackernews.com — 19.11.2025 12:00
- EdgeStepper Implant Reroutes DNS Queries to Deploy Malware via Hijacked Software Updates — thehackernews.com — 19.11.2025 12:00