A cyberespionage group known in security research circles as PlushDaemon has been carrying out a long-running operation in which they take advantage of software update systems to secretly install their own tools on targeted computers. According to new analysis by ESET, this group has been active for several years and has repeatedly improved its techniques. Their operations have reached both individuals and organizations across multiple regions, including areas in East Asia, the United States, and Oceania. Victims have included universities, companies that manufacture electronics, and even a major automotive facility located in Cambodia. ESET’s data suggests that this shift toward manipulating software updates has been a consistent part of PlushDaemon’s strategy since at least 2019, which indicates the group has found this method to be reliable and efficient.
The attackers begin by attempting to take control of the network equipment that people rely on for internet connectivity, such as routers or similar devices. They usually exploit security weaknesses that are already publicly known or take advantage of administrators who have left weak passwords unchanged. Once the attackers get access to these devices, they install a custom-built implant researchers call EdgeStepper. This implant is written in the Go programming language and compiled in a format that works comfortably on Linux-based router systems. After deployment, EdgeStepper operates quietly in the background, monitoring how the device handles internet traffic.
What makes this implant dangerous is its ability to interfere with DNS queries. DNS is the system that helps computers find the correct server whenever a user tries to reach a domain name. EdgeStepper watches these requests and checks whether a particular domain is involved in delivering software updates. If EdgeStepper recognizes an update-related domain, it interferes and redirects the request to a server controlled by PlushDaemon. The victim sees no warning sign because the update process appears completely normal. However, instead of downloading a legitimate update from the software provider, the victim unknowingly receives a malicious file from the attackers’ infrastructure.
This deceptive update carries the first stage of a layered malware chain. The initial file is a Windows component known as LittleDaemon. It is intentionally disguised as a DLL file to convince the system that it is a harmless library file. Once LittleDaemon runs, it connects to one of the attacker-controlled nodes and downloads the next stage, known as DaemonicLogistics. This second-stage tool is decrypted and executed directly in memory, which makes it more difficult for traditional security products to spot because it avoids writing visible files to disk. DaemonicLogistics is essentially the bridge that loads the final and most important payload.
The last payload is the group’s advanced backdoor, SlowStepper. This backdoor has been documented in earlier incidents, including a case in which users of a South Korean VPN service unknowingly received a trojanized installer from what appeared to be the vendor’s official site. SlowStepper gives the attackers broad access to a compromised machine. It can gather system information, execute various commands, browse and manipulate files, and activate additional spyware tools. Many of these tools are written in Python and are designed to steal browser data, capture keystrokes, and extract stored credentials, giving PlushDaemon a detailed picture of the victim’s activity.
ESET researchers also examined the group’s interference with update traffic for Sogou Pinyin, which is one of the most widely used Chinese input software products. While this example helps illustrate the group’s behavior, the researchers observed similar hijacking patterns affecting other software products as well. This means PlushDaemon is not focused on one specific application but is instead targeting any update system they can manipulate through the network devices they have compromised. Because their technique relies on controlling the network path rather than exploiting a flaw inside the software itself, the group’s approach could be applied to targets anywhere in the world.
The research report includes extensive technical information on every component uncovered in this campaign and offers indicators of compromise for defenders, including associated files, domains, and IP addresses. These findings suggest how imperative it is that a routine process like installing updates can become a highly effective attack vector when network infrastructure is tampered with. The case also reinforces the importance of securing routers and keeping administrator credentials strong, since a compromised device at the network level allows attackers to alter traffic without the user noticing any warning signs.
