PlushDaemon software update hijacking campaign
Campaign
Summary
Hide ▲
Show ▼
PlushDaemon is actively hijacking software update traffic in a cyberespionage campaign, expanding the risk of supply-chain style access across multiple countries. The operation uses EdgeStepper to redirect victims to malicious infrastructure and deliver a layered malware chain. That matters because the campaign has been running since 2018 and has used malicious updates since 2019 to breach target networks. The activity has reached individuals and organizations in the United States, China, Taiwan, Hong Kong, South Korea, and New Zealand.
Related Happenings
Dragon Boss Solutions LLC adware malicious update
Malware Activity
First: 16.04.2026 22:07
Last: 16.04.2026 22:07
Sources 1
About this happening:
A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...
Dragon Boss Solutions LLC adware malicious update
Malware ActivityAbout this happening: A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware Activity
First: 30.01.2026 14:08
Last: 30.01.2026 14:08
Sources 1
About this happening:
**BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware ActivityAbout this happening: **BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...
Aisuru/Kimwolf botnet record DDoS campaign against telecommunications and IT companies
Campaign
First: 29.01.2026 16:55
Last: 29.01.2026 16:55
Sources 1
About this happening:
The **Aisuru/Kimwolf botnet** campaign expanded in **late 2025** with **Kimwolf**, a **DDoS botnet** compiled using the **NDK**, and evidence linking it to **AISURU** through shar...
Aisuru/Kimwolf botnet record DDoS campaign against telecommunications and IT companies
CampaignAbout this happening: The **Aisuru/Kimwolf botnet** campaign expanded in **late 2025** with **Kimwolf**, a **DDoS botnet** compiled using the **NDK**, and evidence linking it to **AISURU** through shar...
Latest development: 20.03.2026 02:49
The U.S. Justice Department, with authorities in Canada and Germany, dismantled infrastructure behind Aisuru, Kimwolf, JackSkid and Mossad, seized U.S.-registered domains and virtual servers used in DDoS attacks against DoD Internet addresses, and said the action was intended to prevent further infections and future attacks.
Evasive Panda DNS poisoning MgBot espionage campaign
Campaign
First: 26.12.2025 16:44
Last: 26.12.2025 16:44
Sources 1
About this happening:
**Evasive Panda** ran a **highly targeted cyber espionage campaign** that used **DNS poisoning** to deliver **MgBot** to victims in **Türkiye, China, and India**. The operation wa...
Evasive Panda DNS poisoning MgBot espionage campaign
CampaignAbout this happening: **Evasive Panda** ran a **highly targeted cyber espionage campaign** that used **DNS poisoning** to deliver **MgBot** to victims in **Türkiye, China, and India**. The operation wa...
UDPGangster backdoor deployed by MuddyWater
Malware Activity
First: 08.12.2025 08:46
Last: 08.12.2025 08:46
Sources 1
About this happening:
The **MuddyWater** group has deployed **UDPGangster**, a new backdoor that uses **UDP C2** to control compromised systems and expand post-compromise access. The malware can **exec...
UDPGangster backdoor deployed by MuddyWater
Malware ActivityAbout this happening: The **MuddyWater** group has deployed **UDPGangster**, a new backdoor that uses **UDP C2** to control compromised systems and expand post-compromise access. The malware can **exec...
Timeline
-
19.11.2025 12:00 2 articles · 6mo ago
PlushDaemon software update hijacking disclosed
Initial DisclosureThe China-linked threat actor PlushDaemon is hijacking software update traffic in a cyberespionage campaign that targets individuals and organizations in the United States, China, Taiwan, Hong Kong, South Korea, and New Zealand. ESET telemetry links the activity to malicious updates used since 2019, while the group's targeting dates back to 2018; the delivery chain relies on compromised routers, EdgeStepper, malicious DNS redirection, LittleDaemon disguised as popup_4.2.0.2246.dll, DaemonicLogistics, and the SlowStepper backdoor.
Show sources
- ‘PlushDaemon’ hackers hijack software updates in supply-chain attacks — www.bleepingcomputer.com — 19.11.2025 12:00
- ‘PlushDaemon’ hackers hijack software updates in supply-chain attacks — www.bleepingcomputer.com — 19.11.2025 12:00