A stealthy, China-aligned APT group called PlushDaemon has been infecting routers for years — not just to spy, but to hijack legitimate software updates and push its own malware. Researchers at ESET say the group reroutes update traffic through compromised routers and injects malicious downloads in a way that’s hard to detect.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
Edge Devices as the Attack Vector
PlushDaemon doesn’t rely on flashy phishing campaigns or zero-days. Instead, it quietly infects edge devices — especially routers — by exploiting default or weak credentials or other vulnerabilities. Once inside, it deploys a signature implant called EdgeStepper, built for MIPS32 processors (common in many routers).
EdgeStepper intercepts DNS queries from software update clients (like WPS Office, Tencent QQ, Baidu Netdisk, and Sogou Pinyin), then redirects them to attacker-controlled servers. When the device tries to fetch an update, it ends up downloading a malicious replacement.
The Payload: SlowStepper Backdoor
After the redirection, PlushDaemon’s multi-stage downloader kicks in and eventually installs a modular backdoor called SlowStepper. SlowStepper is powerful: it can steal passwords, cookies, screenshots, WeChat data, and more.
Why This Malware Has Stayed Under the Radar
PlushDaemon’s biggest mystery is why a Chinese APT is targeting mostly Chinese organizations. Many victims are based in Mainland China or Hong Kong, including a Beijing university and a Taiwanese manufacturer. Despite being active since at least 2018 (and performing update hijacks since 2019), PlushDaemon has avoided widespread detection.
ESET recommends defenders harden their edge devices: patch them, change default credentials, and monitor network traffic closely — especially for DNS anomalies.
