EdgeStepper Backdoor
A China‑aligned threat actor known as PlushDaemon has been linked to a newly uncovered Go‑based network backdoor named EdgeStepper, a tool engineered to support adversary‑in‑the‑middle (AitM) operations. By manipulating network traffic at the DNS level, this group has expanded its ability to intercept and redirect data flows for targeted intrusion campaigns across multiple regions.
Table of Contents
EdgeStepper: Redirecting Traffic to Malicious Infrastructure
EdgeStepper acts as a network‑level hijacking mechanism. Once deployed, it reroutes every DNS request to an external malicious node. This manipulation diverts traffic intended for legitimate software‑update infrastructure and instead forwards it to systems under the attacker’s control.
Internally, the tool operates through two primary modules. The Distributor resolves the malicious DNS node’s address (e.g., test.dsc.wcsset.com), while the Ruler configures packet‑filtering rules via iptables to enforce the redirection. In some cases, the DNS node and hijacking node are one and the same, causing the DNS service to return its own IP address during the spoofing process.
Long‑Running Operations and Global Targeting
Active since at least 2018, PlushDaemon has focused on organizations across the U.S., New Zealand, Cambodia, Hong Kong, Taiwan, South Korea, and mainland China. Its activities were first formally reported in January 2025 during an investigation into a supply chain compromise involving the South Korean VPN provider IPany. That incident revealed how the attackers deployed the multifunctional implant SlowStepper against both a semiconductor firm and an unidentified software development company.
Additional victims identified in later research include a university in Beijing, an electronics manufacturer in Taiwan, an automotive company, and a regional branch of a Japanese manufacturing enterprise. Analysts also recorded further activity in Cambodia in 2025, where two more organizations, one in the automotive sector and another tied to a Japanese manufacturer, were targeted with SlowStepper.
AitM Poisoning: PlushDaemon’s Primary Entry Strategy
The group relies heavily on AitM poisoning as its initial intrusion technique, a trend increasingly shared among other China‑affiliated APT clusters such as LuoYu, Evasive Panda, BlackTech, TheWizards APT, Blackwood, and FontGoblin. PlushDaemon initiates its attack chain by compromising an edge network device the victim is likely to connect through. The compromise typically stems from unpatched vulnerabilities or weak authentication.
Once the device is under control, EdgeStepper is installed to manipulate DNS traffic. The malicious DNS node evaluates incoming requests and, when detecting domains tied to software updates, responds with the hijacking node's IP address. This setup enables malicious delivery of payloads without immediately raising suspicion.
Hijacked Update Channels and the Deployment Chain
PlushDaemon’s campaign specifically inspects update mechanisms used by several Chinese applications, including Sogou Pinyin, to redirect legitimate update traffic. Through this manipulation, the attackers distribute a malicious DLL named LittleDaemon (popup_4.2.0.2246.dll), which serves as a first‑stage implant. If the system does not already host the SlowStepper backdoor, LittleDaemon contacts the attacker node and retrieves a downloader called DaemonicLogistics.
DaemonicLogistics' role is straightforward: download and execute SlowStepper. Once active, SlowStepper delivers a broad array of capabilities that include collecting system details, acquiring files, extracting browser credentials, pulling data from multiple messaging applications, and removing itself if necessary.
Expanded Capabilities Through Coordinated Implants
The combined functionality of EdgeStepper, LittleDaemon, DaemonicLogistics, and SlowStepper equips PlushDaemon with a comprehensive toolset capable of compromising organizations worldwide. Their coordinated use gives the group persistent access, data‑theft abilities, and a flexible infrastructure for long‑term cross‑region operations.
Key Observations
PlushDaemon’s operations reveal several consistent themes. The group relies heavily on adversary‑in‑the‑middle poisoning as its preferred method for gaining an initial foothold, using it to intercept and redirect traffic at the network edge. Once a target is compromised, the threat actor depends on SlowStepper as its main post‑intrusion implant, taking advantage of its extensive data‑gathering and system‑reconnaissance features. The effectiveness of this workflow is reinforced by EdgeStepper’s ability to manipulate DNS responses, which allows the attackers to quietly divert legitimate software update traffic toward their own infrastructure.
