What happened
Cybersecurity firm ESET has uncovered a sophisticated campaign by a China‑linked threat actor known as PlushDaemon in which software‑update traffic is being hijacked. The attacker installs a network implant dubbed EdgeStepper, which intercepts DNS queries, identifies domains used for software updates, and redirects those updates to malicious infrastructure.
Once the hijack is in place, a trojan downloader named LittleDaemon drops a backdoor called SlowStepper that grants the attacker extensive control over the target machine, including credential theft, keystroke logging, and file exfiltration.
Who is affected
The attacks span multiple regions and sectors: since 2018, PlushDaemon has targeted organizations in the United States, China, Taiwan, Hong Kong, South Korea, and New Zealand.
Affected entities include electronics manufacturers, universities, and even an automotive manufacturing plant in Cambodia. Given that the mechanism abuses software-update channels, any organization that relies on third‑party components, firmware, or endpoint software updates is potentially at risk.
Why CISOs should care
- This campaign shows how supply‑chain attacks continue to evolve: by compromising update mechanisms rather than just applications or devices.
- The method enables wide‑scale compromise under the guise of legitimate updates, making detection much harder and mitigation more challenging.
- For CISOs, this reinforces that trust boundaries extend beyond “our code” and “our network.” They must include update pipelines, vendor infrastructure, and indirect dependencies.
- Should such an attack succeed, the consequences are acute: long‑standing persistence, data theft, lateral movement, and reputational/operational damage.
3 Practical Actions
- Audit and segment update infrastructure: Ensure that software update channels and DNS infrastructure are monitored and segmented. Consider deploying DNS monitoring for anomalous redirection or unauthorized domains.
- Employ firmware and update integrity verification: Use cryptographic signatures, whitelist trusted update sources, and validate the integrity of updates before deployment. Implement mechanisms to detect unauthorized modification of update binaries.
- Expand vendor & third‑party risk management: Require vendors and firmware providers to disclose their update delivery mechanisms, threat monitoring practices, and incident history. Make sure SLAs and contracts enforce transparency around update security, and treat update services as part of your threat‑surface assessment.