For more than half a decade, a threat actor aligned with the Chinese state has been covertly monitoring Chinese entities by infiltrating their legitimate software update mechanisms.
The exposure of the SolarWinds breach in 2020 seemed, at the time, like a singularly sophisticated incident. However, in the years that followed, cyber adversaries and analysts have identified a range of fresh techniques aimed at tampering with software update processes.
"PlushDaemon" is one such group that has, for a considerable period, refined its own method of update hijacking. In keeping with the pattern often seen among Chinese APTs, it begins by compromising organisations through their edge devices. But unlike most APTs that use these devices merely as stepping-stones into internal networks, researchers at ESET report that PlushDaemon uses them differently—deploying a custom implant to seize network traffic, redirect legitimate update requests to attacker-controlled servers, and deliver malicious updates in their place.
How Compromised Edge Devices Become Gateways for Fake Software Updates
PlushDaemon’s attacks begin in a fairly ordinary manner. The group first compromises a router or any similar device sitting along the network’s entry and exit path—either by exploiting a software flaw or taking advantage of weak or default admin passwords. Once inside, it deploys its trademark malware, EdgeStepper.
EdgeStepper is a Go-based malware compiled into an Executable and Linkable Format (ELF) binary, tailored specifically for MIPS32 processors. While MIPS has declined in prominence in recent years, it was widely used throughout the 2000s and 2010s and still powers many routers and IoT devices—making it an ideal target platform for PlushDaemon’s operations.
Acting as a man-in-the-middle, EdgeStepper monitors all outbound traffic. Whenever the victim issues a Domain Name System lookup, the implant captures it from the edge device and reroutes the request toward PlushDaemon’s controlled infrastructure.
The majority of domains hold no value for PlushDaemon, so most user traffic passes through normally. The malware only pays attention to update-related queries from well-known Chinese tools like the Sogou Pinyin Method, the Baidu Netdisk, the Tencent QQ, and the WPS Office. If one of these applications reaches out to its update host, EdgeStepper rewrites the destination IP to a PlushDaemon address, delivering a malicious file instead.
Once several mid-stage downloaders have executed, PlushDaemon delivers its bespoke backdoor known as SlowStepper. It operates as a flexible, plug-in style tool that can exfiltrate credentials, documents, browser cookies, screenshots, and a broad set of information tied to WeChat.
What We Still Don’t Know About PlushDaemon
Some aspects of PlushDaemon’s behaviour remain unclear. According to ESET, it is still unknown why a state-aligned Chinese APT would direct its spying efforts primarily at Chinese organisations. Most victims identified so far come from mainland China or Hong Kong, including a Taiwan-owned electronics manufacturer operating in the mainland and a university in Beijing. Other affected entities from regions such as Taiwan, Cambodia, New Zealand, and the US nonetheless generated traffic linked to Chinese software ecosystems—hinting that they may also have underlying Chinese ties.
Another unanswered question is why PlushDaemon has managed to stay so deeply hidden, with only one public analysis from ESET emerging last year. Although active since at least 2018—and using its update-hijacking approach since 2019—it attracts remarkably little scrutiny compared with numerous other Chinese-state APTs.
What is far more straightforward is how to counter it. According to Facundo Muñoz, defenders should concentrate on the first step of the attack sequence, where the threat actor’s behaviour is most detectable and least sophisticated.
"What we recommend defenders do," he says, "is be mindful of vulnerabilities in the devices that are in their networks, and to try to vet their credentials for vulnerabilities. That's it."
