China's 'PlushDaemon' Hackers Infect Routers to Hijack Software Updates - Dark Reading

Endpoint SecurityThreat IntelligenceCyberattacks & Data BreachesApplication SecurityNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesA unique take on the software update gambit has allowed Beijing's state-sponsored advanced persistent threat (APT) to evade attention as it mostly targets Chinese organizations.Nate Nelson,Contributing WriterNovember 20, 20253 Min ReadSource: Michal Boubin via Alamy Stock PhotoFor more than half a decade now, a Chinese state-aligned threat actor has been spying on Chinese organizations by infecting their trusted software updates.When the SolarWinds breach was unearthed in 2020, it might have seemed like a uniquely devious event in cybersecurity history. But cyberattackers and cybersecurity researchers have been finding other, novel ways of poisoning software updates since then."PlushDaemon" is one such group that has quietly, for quite a while now, been taking its own approach to the update hijack. Like Chinese advanced persistent threats (APTs) often do, it infects organizations through their edge devices. But where most APTs use edge devices as initial entry points to deeper network compromise, researchers at ESET have found that PlushDaemon uses them in its own way. It hijacks network traffic using a specially designed implant, re-routes legitimate software update requests to its own infrastructure, and then serves victims malicious substitutes.Related:Cylake Offers AI-Native Security Without Relying on Cloud ServicesUsing Edge Devices to Deliver Malicious Software UpdatesPlushDaemon attacks don't start off all that uniquely. They simply have to infect a router or other similar device in the path of network ingress and egress, through some software vulnerability or by exploiting guessable or default administrative credentials. If it can get in, it will deploy its signature malware, "EdgeStepper."EdgeStepper was written in Go, compiled as an Executable and Linkable Format (ELF) file, and built specifically for MIPS32 processors. Though it has waned in recent years, MIPS was close to ubiquitous in the 2000s and 2010s, and remains popular in the routers and other Internet of things (IoT) devices that PlushDaemon weaponizes.EdgeStepper sits between a victim and the websites they intend to reach. When a victim makes a domain name system (DNS) query, the malware — sitting on the edge of their network — intercepts and redirects it to PlushDaemon's infrastructure.Most websites aren't of interest to PlushDaemon, and nothing special will happen. It only looks for requests generated by certain popular Chinese software products: the Sogou Pinyin Method input editor, the Baidu Netdisk cloud service, multipurpose instant messenger Tencent QQ, and the free office suite WPS Office. If one of these apps happens to make a request for the website from which it pulls updates, EdgeStepper will replace the legitimate website's IP address with a PlushDaemon IP, where a malicious download is waiting.Following a couple of midstage downloaders, the victim will eventually download PlushDaemon's custom backdoor "SlowStepper." SlowStepper is a modular backdoor with a variety of components for stealing passwords, local files, browser cookies, a range of data associated with WeChat, and screenshots.Related:Bug in Google's Gemini AI Panel Opens Door to HijackingMysteries Surround PlushDaemonCertain questions still surround PlushDaemon. For instance, ESET could not say why a Chinese state-aligned APT has been spying on primarily Chinese organizations.The majority of PlushDaemon's victims have been in mainland China or Hong Kong, such as one Taiwanese electronics manufacturer located in the mainland, and a Beijing university. Other targets have come from Taiwan, Cambodia, New Zealand, and the US. Even in those cases, though, the group has targeted characteristically Chinese software programs, indicating that those victims might also be in some way Chinese.It's also a mystery why, besides one ESET report last year, PlushDaemon has flown so deeply under the radar for so many years. Though it has been active since at least 2018 — and its software update scheme since 2019 — it hardly garners the attention that other, lesser Chinese-state APTs have.What's easier to understand about PlushDaemon is how to stop it. ESET malware researcher Facundo Muñoz recommends focusing on the first stage of the attack chain — the most straightforward bit, before all the threat actor's best tricks kick in.Related:Scam Abuses Gemini Chatbots to Convince People to Buy Fake Crypto"What we recommend defenders do," he says, "is be mindful of vulnerabilities in the devices that are in their networks, and to try to vet their credentials for vulnerabilities. That's it."Read more about:DR Global Asia PacificAbout the AuthorNate NelsonContributing WriterNate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost.See more from Nate NelsonMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportCybersecurity Forecast 2026The ROI of AI in SecurityThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore WebinarsEditor's ChoiceCybersecurity OperationsWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallbyJai VijayanMar 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuilding a Robust SOC in a Post-AI WorldThurs, March 19, 2026 at 1pm ESTRetail Security: Protecting Customer Data and Payment SystemsThurs, April 2, 2026 at 1pm ESTRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedWed, April 1, 2026 at 1pm ESTSecuring Remote and Hybrid Work Forecast: Beyond the VPNTues, March 10, 2026 at 1pm ESTAI-Powered Threat Detection: Beyond Traditional Security ModelsWed, March 25, 2026 at 1pm ESTMore WebinarsWhite PapersAutonomous Pentesting at Machine Speed, Without False PositivesFixing Organizations' Identity Security PostureBest practices for incident response planningIndustry Report: AI, SOC, and Modernizing CybersecurityThe Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks.Explore More White PapersGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space