Inside PlushDaemon’s EdgeStepper DNS Hijacking Playbook

ESET Research uncovered EdgeStepper, a previously undocumented network implant used by the China-aligned PlushDaemon APT to run adversary-in-the-middle (AitM) operations by hijacking DNS. By compromising routers and other network devices, the group silently reroutes update traffic from legitimate vendors to attacker-controlled nodes, ultimately delivering its custom SlowStepper backdoor to Windows systems.

Who PlushDaemon targets

• Active since at least 2018; espionage-focused.
• Observed against victims in China, Taiwan, Hong Kong, Cambodia, South Korea, the United States, and New Zealand.
• Access via hijacked software updates, web server exploits, and a 2023 supply-chain attack.

How the AitM update hijack works

• Compromise a network device used by the target (often via vulnerabilities or weak/default credentials).
• Deploy EdgeStepper to intercept UDP/53 and forward DNS requests to a malicious DNS node.
• The node selectively replies with hijacking server IPs when the request matches update domains (for example, Sogou Pinyin endpoints), pushing the updating software to contact attacker infrastructure over HTTP.
• The hijacking node instructs the app to fetch a malicious DLL (for example, popup_4.2.0.2246.dll), which is LittleDaemon.

EdgeStepper at a glance

• Built in Go with the GoFrame framework; ELF for MIPS32.
• Configuration decrypted from /etc/bioset.conf using AES-CBC with key and IV "I Love Go Frame!" (GoFrame default IV).
• Sample config keys: toPort (default 1090) and host (resolves the malicious DNS node, for example ds20221202.dsc.wcsset[.]com).
• Uses iptables to redirect all UDP traffic on port 53 to the local listener port, and cleans up rules on exit.
• An unused binary config referenced test.dsc.wcsset[.]com, historically resolving to 47.242.198[.]250, a known hijacking node.

Payload chain on Windows

• LittleDaemon: First-stage DLL/EXE delivered via the hijack. Checks if SlowStepper is present; if not, downloads in-memory loader DaemonicLogistics from the hijacking node using HTTP to legitimate-looking domains (for example, ime.sogou.com or mobads.baidu.com) and runs it. No persistence.
• DaemonicLogistics: Position-independent loader that interprets HTTP status codes as commands (for example, 200 or 207) and downloads SlowStepper. It checks for "360tray.exe" to evade 360 Total Security, writes decoy files under paths such as %PROGRAMDATA%\Tencent\QQUpdateMgr\UpdateFiles, and decrypts payloads masquerading as ZIP/GIF.
• SlowStepper: PlushDaemon’s primary backdoor, deployed after the above stages.

Notable telemetry and infrastructure

• Victims seen since 2019 across the US, Taiwan, China (including a Beijing university and a Taiwanese electronics maker), Hong Kong, New Zealand, and Cambodia (including automotive and manufacturing).
• Known domains and nodes include ds20221202.dsc.wcsset[.]com and test.dsc.wcsset[.]com (47.242.198[.]250). Some servers act as both DNS and hijacking nodes.

Detection and mitigation tips

• Monitor network devices for unexpected iptables rules redirecting UDP/53 to non-standard local ports (for example, 1090).
• Inspect DNS flows for selective redirection of update domains to non-vendor IPs or to wcsset[.]com infrastructure.
• Watch for update traffic over HTTP that retrieves DLLs such as "popup_4.2.0.2246.dll" or paths like "/update/updateInfo.bzp" from non-vendor addresses.
• Hunt for Windows artifacts such as LittleDaemon, DaemonicLogistics in memory, suspicious QQUpdateMgr directories, or encrypted payloads posing as ZIP/GIF.
• Review ESET’s IoCs and ATT&CK mapping to enhance detection and response.

Key takeaway
PlushDaemon’s EdgeStepper enables stealthy DNS redirection on compromised routers, turning routine software updates into reliable delivery channels for the group’s Windows backdoor toolkit.

Source: WeLiveSecurity