China-aligned threat actor is conducting widespread cyberespionage campaigns

Steven

China-aligned threat actor is conducting widespread cyberespionage campaigns

Summary

Researchers at ESET have uncovered a long-running cyberespionage campaign by a China-aligned group tracked as PlushDaemon. The group implants routers and other network devices with a component named EdgeStepper that hijacks DNS queries for software-update domains and redirects victims to attacker-controlled infrastructure. That allows the actors to deliver downloaders (LittleDaemon and DaemonLogistics) and a backdoor toolkit used to carry out espionage.

Key Points

  • PlushDaemon uses a network implant called EdgeStepper to reroute DNS queries tied to software updates to attacker-controlled servers.
  • Compromised update channels deliver downloaders LittleDaemon and DaemonLogistics, which install backdoor toolkits for cyberespionage.
  • Attacks have been active since at least 2019 (PlushDaemon activity stretches back to 2018) and have targeted organisations in the US, Taiwan, Japan and elsewhere.
  • Targets include a Beijing university, a Taiwanese electronics manufacturer, an automotive-sector company and a Japanese manufacturer.
  • Initial compromise likely leverages vulnerable network device firmware, software flaws or weak/default administrative credentials, and abuse of popular Chinese software products.

Content Summary

EdgeStepper is deployed on routers and network devices to intercept DNS requests. When it detects queries related to software updates, it replies with IPs that point to hijacking nodes under the attackers’ control. Those nodes host malicious updates or payloads that install the LittleDaemon and DaemonLogistics downloaders, which then fetch and activate espionage-capable backdoors.

The campaign has been in operation for years and includes previous incidents such as a compromised VPN installer from South Korea’s IPany. ESET’s analysis links the tactics to broader PlushDaemon activity across the East Asia–Pacific region and the US.

Context and Relevance

Network-device compromise via update hijacks is a growing supply-chain and infrastructure risk: attackers can persistently control traffic and deliver tailored payloads without needing endpoint exploits. This case highlights how threat actors abuse update processes and default/weak credentials in widely deployed equipment, making sectors that rely on third-party firmware and commercial software particularly exposed.

For security teams, the research underlines the need to monitor DNS behaviour, validate software-update sources, and harden network device management (patching firmware, changing default creds, and segmenting management interfaces).

Why should I read this

Heads-up: this isn’t a one-off malware drop — it’s a stealthy, years-long technique that turns trusted update channels and routers into spying tools. If you manage networks, supply chains or device fleets, reading this saves you time and shows exactly where to harden things before someone else turns your infrastructure into a listening post.

Source

Source: https://therecord.media/china-aligned-threat-actor-espionage-network-devices