Date: 11/22/2025
Severity: Medium
Summary
PlushDaemon is a China-aligned espionage group active since at least 2018, targeting entities in China, Taiwan, Hong Kong, Cambodia, South Korea, the United States, and New Zealand. The group uses its custom backdoor SlowStepper and primarily gains initial access by hijacking legitimate software updates through its network implant EdgeStepper, while also exploiting web-server vulnerabilities and conducting a 2023 supply-chain attack. PlushDaemon compromises network devices to perform adversary-in-the-middle attacks using EdgeStepper (internally dns_cheat_v2), which intercepts and forwards DNS traffic to malicious DNS nodes; this enables the attackers to redirect legitimate update requests to attacker-controlled servers, deliver malicious updates, and deploy SlowStepper to support broader espionage operations.
Indicators of Compromise (IOC) List
IP Address | 8.212.132.120 47.242.198.250 |
Hash | 8F569641691ECB3888CD4C11932A5B8E13F04B07
06177810D61A69F34091CC9689B813740D4C260F
69974455D8C13C5D57C1EE91E147FF9AED49AEBC
2857BC730952682D39F426D185769938E839A125
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | dstipaddress IN ("8.212.132.120","47.242.198.250") or srcipaddress IN ("8.212.132.120","47.242.198.250") |
Detection Query 2 : | sha1hash IN ("06177810D61A69F34091CC9689B813740D4C260F","8F569641691ECB3888CD4C11932A5B8E13F04B07","2857BC730952682D39F426D185769938E839A125","69974455D8C13C5D57C1EE91E147FF9AED49AEBC")
|
Reference:
https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/