PlushDaemon Compromises Network Devices for Adversary-in-the-Middle Attacks

    Date: 11/22/2025

    Severity: Medium

    Summary

    PlushDaemon is a China-aligned espionage group active since at least 2018, targeting entities in China, Taiwan, Hong Kong, Cambodia, South Korea, the United States, and New Zealand. The group uses its custom backdoor SlowStepper and primarily gains initial access by hijacking legitimate software updates through its network implant EdgeStepper, while also exploiting web-server vulnerabilities and conducting a 2023 supply-chain attack. PlushDaemon compromises network devices to perform adversary-in-the-middle attacks using EdgeStepper (internally dns_cheat_v2), which intercepts and forwards DNS traffic to malicious DNS nodes; this enables the attackers to redirect legitimate update requests to attacker-controlled servers, deliver malicious updates, and deploy SlowStepper to support broader espionage operations.

    Indicators of Compromise (IOC) List 

    IP Address

    8.212.132.120

    47.242.198.250

    Hash

    8F569641691ECB3888CD4C11932A5B8E13F04B07

    06177810D61A69F34091CC9689B813740D4C260F

    69974455D8C13C5D57C1EE91E147FF9AED49AEBC

    2857BC730952682D39F426D185769938E839A125

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("8.212.132.120","47.242.198.250") or srcipaddress IN ("8.212.132.120","47.242.198.250")

    Detection Query 2 :

    sha1hash IN ("06177810D61A69F34091CC9689B813740D4C260F","8F569641691ECB3888CD4C11932A5B8E13F04B07","2857BC730952682D39F426D185769938E839A125","69974455D8C13C5D57C1EE91E147FF9AED49AEBC")

    Reference:    

    https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/


    Tags

    New ZealandAiTMMalwareThreat ActorPlushDaemonSlowStepperBackdoorChinaTaiwanHong KongCambodiaSouth KoreaUnited States

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags