Subj : Chinas PlushDaemon group uses EdgeStepper implant to infect netwo To : All From : TechnologyDaily Date : Thu Nov 20 2025 14:45:08 Chinas PlushDaemon group uses EdgeStepper implant to infect network devices with SlowStepper malware in global supply-chain attacks Date: Thu, 20 Nov 2025 14:29:45 +0000 Description: ESET says PlushDaemon can ploy SlowStepper malware against targets anywhere in the world. FULL STORY ======================================================================China-al igned PlushDaemon deploys malware through compromised routers PlushDaemon deploys LittleDaemon and DaemonLogistics on network devices The final payload, SlowStepper, can run commands and deploy spyware China-aligned hacking group PlushDaemon has been spotted by ESET targeting routers and other network devices with malware to launch supply chain attacks. The cybersecurity experts note the group has been active since 2018, and has so far deployed attacks against targets in the United States, New Zealand, Cambodia, Hong Kong, Taiwan, and mainland China. The group deploys the EdgeStepper implant on network devices by exploiting software vulnerabilities, or by using default administrative credentials that have not been changed on the targeted infrastructure. PlushDaemon strikes routers with malware ESET researchers studied how the attack unfolded against software input method Sogou Pinyin. Once EdgeStepper has been deployed, the implant will begin redirecting incoming DNS queries that relate to software updates to a malicious DNS node, which then directs software updates to a malicious IP address used for hijacking. (Image credit: ESET) Rather than receiving a software update from the legitimate node, a DLL file containing the LittleDaemon malware downloader is served from the hijacking node. LittleDaemon then serves the DaemonicLogistics malware dropper which is executed in memory, retrieving the final step in the attack: SlowStepper. (Image credit: ESET) Slowstepper can perform a range of malicious actions, such as pulling system information, deploying Python-based spyware to log keystrokes and steal credentials, or execute files and run commands. Due to the nature of PlushDaemons attack vector, the group has the capability to compromise targets anywhere in the world. For more information on indicators of compromise and technical details on the malware, take a look at ESETs Research on PlushDaemon . ====================================================================== Link to news story: https://www.techradar.com/pro/security/chinas-plushdaemon-group-uses-edgestepp er-implant-to-infect-network-devices-with-slowstepper-malware-in-global-supply -chain-attacks --- Mystic BBS v1.12 A49 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .