ESET researchers have identified a new adversary-in-the-middle (AitM) tool deployed by the China-linked APT group PlushDaemon, which compromises routers to covertly redirect DNS traffic, allowing attackers to hijack software updates and deliver malware to Windows systems.

The discovery involves a previously unknown network implant named EdgeStepper, found within a suspicious ELF file called bioset. The implant enables PlushDaemon to intercept DNS queries inside compromised networks and reroute them to attacker-controlled infrastructure, paving the way for hidden malware distribution by redirecting requests meant for legitimate update servers.

Figure 1. Edge Stepper Router.

PlushDaemon is a long-operating, China-aligned espionage group active since at least 2018, targeting entities across the United States, Taiwan, China, Hong Kong, New Zealand, Cambodia, and South Korea. The group is associated with the 2023 supply-chain attack on South Korean VPN provider Ipany VPN, commonly focusing on intelligence collection from high-value sectors such as manufacturing, academia, and software development. Figure 1 shows Edge Stepper Router.

EdgeStepper Implant Operation

Internally called dns_cheat_v2, the implant is a Go-compiled ELF binary for MIPS32, indicating deployment on small network hardware. After installation, EdgeStepper decrypts its configuration via AES-CBC with embedded keys and modifies iptables to redirect all DNS traffic on UDP port 53 to a malicious proxy running on port 1090 [1]. DNS requests related to update domains are then answered by attacker-controlled servers, which return the IP addresses of malware-hosting systems.

This redirection enables attackers to mimic legitimate update services. Update applications, unaware of tampering, are tricked into downloading malicious files such as LittleDaemon, disguised as authentic DLLs and delivered over HTTP from spoofed subdomains like ime.sogou.com.

Multistage Malware Delivery

Once installed, LittleDaemon checks for the presence of PlushDaemon’s main backdoor, SlowStepper. If missing, it retrieves a second-stage downloader called DaemonicLogistics, decrypts it using XOR operations, and executes it in memory. This component communicates with command servers disguised as software-update endpoints and receives instructions encoded in HTTP status codes, including downloading SlowStepper or secondary payloads such as plugin.exe.

Defense Recommendations

The EdgeStepper infrastructure has been active since at least 2021 and has previously been linked to malicious update delivery.

• Segment and protect software update infrastructure
• Monitor DNS for anomalies or unauthorized redirects
• Require HTTPS, certificate validation, and code-signed updates

Reference:

1. https://cyberinsider.com/router-implant-edgestepper-hijacks-software-updates-to-deliver-malware/

Cite this article:

Keerthana S (2025), Edge Stepper Router Implant Exploits Software Update Mechanisms to Deploy Malware, AnaTechMaz, pp.241