A previously undocumented China-aligned Advanced Persistent Threat group, tracked as “PlushDaemon,” is conducting sophisticated cyberespionage campaigns by hijacking software update mechanisms and executing supply-chain attacks against targets across Asia and the West1. Discovered by ESET researchers, this group’s operations represent a significant evolution in adversary-in-the-middle and supply-chain attack techniques, posing a severe threat to organizations worldwide2.
The group employs a multi-faceted approach to initial infection, beginning with compromising network infrastructure to redirect software update traffic. Once established in a target environment, PlushDaemon deploys a powerful, modular backdoor called SlowStepper that provides extensive espionage capabilities3. This campaign highlights the growing sophistication of supply-chain attacks and the challenges defenders face in detecting such sophisticated operations.
Executive Summary for Security Leadership
The PlushDaemon campaign represents a sophisticated dual-approach attack strategy combining network infrastructure compromise with software supply-chain targeting. Security leaders should be aware that this China-aligned APT group has been active since at least 2018 or 2019 and targets organizations across multiple sectors including universities, electronics manufacturing, automotive, and semiconductor industries4. The group’s operations span the United States, New Zealand, Cambodia, Hong Kong, Taiwan, mainland China, South Korea, and Japan, indicating broad targeting of both Western and Asian entities.
The attack methodology involves either compromising network devices to hijack DNS queries for software updates or directly tampering with legitimate software installers. In one documented case, the group replaced the legitimate IPany VPN installer on the official website with a malicious version that installed both the legitimate software and the SlowStepper backdoor5. This approach potentially affected any user who downloaded the compromised installer during the compromise period.
| Threat Component | Description | Impact |
|---|---|---|
| EdgeStepper DNS Hijacker | Go-based implant that intercepts DNS requests | Redirects software update traffic to attacker servers |
| SlowStepper Backdoor | Modular C++ backdoor with over 30 components | Comprehensive espionage and system control |
| Supply-Chain Compromise | Trojanized legitimate software installers | Widespread infection through trusted sources |
Technical Analysis of Attack Vectors
PlushDaemon employs two primary infection vectors: software update hijacking through network compromise and direct supply-chain attacks. The software update hijacking begins with the group gaining initial access to network infrastructure devices such as routers, believed to be achieved through exploiting software vulnerabilities or using weak administrative credentials1. Once the device is compromised, PlushDaemon deploys a previously undocumented Go-based implant codenamed EdgeStepper, which has the internal developer name `dns_cheat_v2`.
This network implant operates by intercepting all outbound DNS requests and redirecting them to a malicious, attacker-controlled DNS server. The malicious server selectively hijacks queries for software update domains, particularly those of popular Chinese software, responding with the IP address of a PlushDaemon-controlled server instead of the legitimate update server3. The victim’s computer, believing it is connecting to a legitimate update server, then receives malicious payloads disguised as updates. These payloads include downloaders named LittleDaemon and DaemonicLogistics, which ultimately deploy the sophisticated SlowStepper backdoor.
In the separate but related IPany VPN supply-chain attack in late 2023, PlushDaemon directly compromised the software distribution channel of the South Korean VPN provider. The group replaced the legitimate `IPanyVPNsetup.exe` installer on the official website with a malicious version that was not geofenced, meaning it could affect any user worldwide who downloaded it during the compromise period5. The malicious installer established persistence by creating a Registry Run key named `IPanyVPN` pointing to a malicious `svcghost.exe` file.
SlowStepper Backdoor Capabilities and Infrastructure
SlowStepper serves as PlushDaemon’s primary espionage tool, featuring a sophisticated, modular architecture written in C++. The backdoor exists in both “Lite” and “Full” versions, showing continuous development since at least 2019, with the oldest known sample being v0.1.7 and the newest v0.2.12 from 20245. The variant used in the IPany VPN attack was v0.2.10 Lite, demonstrating the group’s ability to tailor their tools for specific operations.
The backdoor employs advanced stealth techniques for command-and-control communication, using a multi-stage method to hide its C&C servers. It sends a DNS query for a TXT record to a predefined domain such as `7051.gsm.360safe[.]company`, with the response containing a base64-encoded and AES-encrypted list of IP addresses for the actual C&C servers5. If these primary servers fail, the malware uses a fallback domain (`st.360safe[.]company`) to maintain persistence and ensure continuous communication with the attackers.
SlowStepper’s power lies in its extensive toolkit of over 30 components written in C++, Python, and Go. These modules were stored in a remote code repository on the Chinese platform GitCode under the account `LetMeGo22` and could be downloaded on demand based on the specific intelligence requirements of each operation5. This modular approach allows the attackers to deploy only the necessary tools for each target, reducing the footprint and increasing the difficulty of detection.
The toolkit includes comprehensive data theft capabilities with specialized modules for stealing and decrypting passwords from browsers including Google Chrome, Mozilla Firefox, Tencent QQ Browser, 360 Chrome, and UC Browser. Dedicated modules target communication tools like WeChat and Telegram, collecting account data and files from these popular messaging applications. The backdoor also includes full-spectrum surveillance capabilities with modules for audio recording via microphone, video and photo capture via webcam, and screen recording functionality.
Detection and Mitigation Strategies
From a defensive perspective, this attack presents significant detection challenges. As noted in ESET’s research, from the victim’s viewpoint, the only indicators might be software behaving unexpectedly or displaying errors related to missed updates4. This underscores the importance of robust monitoring and detection capabilities at both the network and endpoint levels to identify such sophisticated attacks.
Organizations should implement several key defensive measures to protect against these types of attacks. Network monitoring should focus on detecting unauthorized changes to network devices and enforcing strong credential policies for administrative access. The use of encrypted DNS protocols such as DNS over HTTPS (DoH) or DNS over TLS (DoT) can help mitigate DNS hijacking attempts by preventing interception of plaintext DNS queries4. Software verification through hash checking or digital signature validation before installation provides an additional layer of protection, particularly important after supply-chain incidents are disclosed.
Threat hunting teams should actively search for indicators associated with PlushDaemon operations, including DNS queries to known C&C domains such as `7051.gsm.360safe[.]company` and the presence of suspicious files like `svcghost.exe` or `lregdll.dll`5. Monitoring for registry modifications that establish persistence, particularly Run keys pointing to unusual executable locations, can help identify compromised systems. Network traffic analysis should focus on identifying unusual patterns in software update communications and unexpected connections to IP addresses not associated with legitimate update services.
ESET researchers note that PlushDaemon is not an isolated case, as they are currently tracking ten active China-aligned APT groups that are hijacking software updates, including SinisterEye (LuoYu), Evasive Panda, and Blackwood4. This pattern indicates that software update hijacking has become a established technique among sophisticated threat actors, requiring coordinated defensive measures across the cybersecurity community.
Operational Security Implications
The discovery of PlushDaemon reveals a highly resourced and persistent threat actor with a sophisticated toolset designed for long-term espionage operations. The group’s dual approach of compromising network infrastructure to hijack updates while simultaneously executing direct software supply-chain attacks demonstrates their operational flexibility and targeting methodology. This campaign underscores the critical need for robust software supply chain security and proactive network defense measures.
Security teams should recognize that traditional signature-based detection approaches may be insufficient against such sophisticated threats. The use of legitimate software components and sophisticated code obfuscation techniques, combined with the modular nature of the malware, enables PlushDaemon to evade conventional security controls. The group’s toolkit includes components signed with certificates from obscure Chinese companies, further complicating detection efforts and highlighting the need for behavioral analysis and anomaly detection.
The extensive version history and continuous development of the SlowStepper backdoor indicate that PlushDaemon represents a well-established threat actor with significant development resources. As ESET concluded in their technical report, “The numerous components in the PlushDaemon toolset, and its rich version history, show that, while previously unknown, this China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to watch for”5. This assessment underscores the persistent nature of the threat and the need for sustained defensive efforts.
Organizations operating in targeted sectors or regions should assume they may be targeted by similar techniques and implement appropriate defensive measures. The broad geographic targeting spanning multiple continents indicates that PlushDaemon conducts intelligence collection operations against both Western and Asian targets, with particular focus on organizations in technology, manufacturing, and academic sectors. This targeting pattern aligns with traditional cyberespionage objectives focused on intellectual property theft and strategic intelligence collection.
The PlushDaemon campaign represents a sophisticated evolution in supply-chain attack techniques that poses significant challenges for defensive security teams. The combination of network infrastructure compromise and software supply-chain targeting enables the group to distribute malware through trusted channels while maintaining operational stealth. Defenders must implement comprehensive monitoring, robust authentication mechanisms, and software verification processes to detect and prevent such attacks. As software supply-chain attacks continue to evolve, organizations must prioritize supply-chain security as a critical component of their overall cybersecurity strategy.
