Cybersecurity

Edgestepper Implant Reroutes Dns Queries To Deploy Malware Via...

2025-11-19 0 views admin
Edgestepper Implant Reroutes Dns Queries To Deploy Malware Via...

The threat actor known as PlushDaemon has been observed using a previously undocumented Go-based network backdoor codenamed EdgeStepper to facilitate adversary-in-the-middle (AitM) attacks.

EdgeStepper "redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure," ESET security researcher Facundo Muñoz said in a report shared with The Hacker News.

Known to be active since at least 2018, PlushDaemon is assessed to be a China-aligned group that has attacked entities in the U.S., New Zealand, Cambodia, Hong Kong, Taiwan, South Korea, and mainland China.

It was first documented by the Slovak cybersecurity company earlier this January, detailing a supply chain attack aimed at a South Korean virtual private network (VPN) provider named IPany to target a semiconductor company and an unidentified software development company in South Korea with a feature-rich implant dubbed SlowStepper.

Among the adversary's victims include a university in Beijing, a Taiwanese company that manufactures electronics, a company in the automotive sector, and a branch of a Japanese company in the manufacturing sector. Earlier this month, ESET also said it observed PlushDaemon targeting two entities in Cambodia this year, a company in the automotive sector and a branch of a Japanese company in the manufacturing sector, with SlowStepper.

The primary initial access mechanism for the threat actor is to leverage AitM poisoning, a technique that has been embraced by an "ever increasing" number of China-affiliated advanced persistent threat (APT) clusters in the last two years, such as LuoYu, Evasive Panda, BlackTech, TheWizards APT, Blackwood, and FontGoblin. ESET said it's tracking ten active China-aligned groups that have hijacked software update mechanisms for initial access and lateral movement.

The attack essentially commences with the threat actor compromising an edge network device (e.g., a router) that its target is likely to connect to. This is accomplished by either exploiting a security flaw in the software or through weak credentials, allowing them to deploy caEdgeStepper.

"Then, EdgeStepper begins redirecting DNS queries to a malicious DNS node that verifies whether the domain in the DNS query message is related to software updates, and if so, it replies with the IP address of the hijacking node," Muñoz explained. "Alternatively, we have

Source: The Hacker News

🏷️ Tags

cybersecuritysecurityhackmalwareattack

More from Cybersecurity

Hackers Claim To Hack Resecurity, Firm Says It Was A Honeypot

Hackers Claim To Hack Resecurity, Firm Says It Was A Honeypot

2026-01-03 0
Covenant Health Says May Data Breach Impacted Nearly 478,000 Patients

Covenant Health Says May Data Breach Impacted Nearly 478,000 Patients

2026-01-02 0
Cryptocurrency Theft Attacks Traced To 2022 Lastpass Breach 2026

Cryptocurrency Theft Attacks Traced To 2022 Lastpass Breach 2026

2026-01-02 0
Over 10k Fortinet Firewalls Exposed To Actively Exploited 2fa Bypass

Over 10k Fortinet Firewalls Exposed To Actively Exploited 2fa Bypass

2026-01-02 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views