analyst @ nohacky :~/threat-actors $
cat / threat-actors / plushdaemon
analyst@nohacky:~/plushdaemon.html
active threat profile
type apt
threat_level critical
status active
origin China (assessed)
last_updated 2026-03-26
PD
plushdaemon

PlushDaemon

also known as: PlushDaemon (ESET) No cross-vendor alias as of March 2026

PlushDaemon is a China-aligned APT group that has operated since at least 2018, first publicly documented by ESET in January 2025. The group's defining characteristic is its adversary-in-the-middle approach to supply chain compromise — rather than directly attacking targets, PlushDaemon compromises network devices in the path of its targets' traffic, then redirects legitimate software update requests to attacker-controlled infrastructure that silently delivers the SlowStepper espionage backdoor. The group's own developers called their network implant dns_cheat_v2; ESET named it EdgeStepper.

attributed origin China (assessed — China-aligned targeting patterns; tooling hosted on Chinese platform GitCode)
suspected sponsor Chinese state intelligence (assessed); no formal government attribution as of March 2026
first observed Active since at least 2018 (ESET assessment, Nov 2025); oldest SlowStepper PE timestamp is January 31, 2019 (version 0.1.7); victim telemetry begins 2019; first publicly documented January 2025
primary motivation Cyberespionage — long-term surveillance of strategic targets across East Asia-Pacific and the United States
primary targets South Korea, Taiwan, Hong Kong, United States, New Zealand, mainland China, Cambodia
known victims University in Beijing; electronics manufacturer (Taiwan); semiconductor company (South Korea); automotive / Japanese manufacturing (Cambodia)
mitre att&ck group Unassigned (sole attributing vendor is ESET; no G-number as of March 2026)
target regions East Asia-Pacific (primary); United States; New Zealand
threat level HIGH — global reach capability confirmed

Overview

PlushDaemon is one of at least ten China-aligned APT groups that ESET tracks as actively hijacking software update mechanisms for initial access and lateral movement — a technique that has become significantly more common among Chinese state-linked actors over the past two years. What distinguishes PlushDaemon within this cluster is the sophistication and operational subtlety of its approach. Instead of simply compromising a vendor's update server or poisoning a package repository, PlushDaemon compromises the network devices that sit between a target and the internet — routers and similar edge gear — and uses those devices to silently redirect legitimate update traffic at the DNS level.

ESET first documented the group in January 2025, revealing a supply chain compromise of IPany, a South Korean VPN provider, in 2023. In that operation, PlushDaemon replaced the legitimate IPany installer with a trojanized version that delivered both the real VPN software and the SlowStepper backdoor, targeting users across South Korean semiconductor and software development companies. Then in November 2025, ESET published a second detailed report revealing the EdgeStepper network implant technique — a broader, more scalable approach to update hijacking that allows the group to reach targets regardless of geography, so long as they use affected software.

The oldest known SlowStepper sample has a compiled timestamp of January 31, 2019 — setting the group's operational baseline at least that far back, with active development continuing through at least version 0.2.12, compiled June 13, 2024. The version history and technical breadth of the toolset indicate a well-resourced, dedicated development team that has been quietly building capability for years before public exposure.

One of the more puzzling aspects of PlushDaemon's targeting is the inclusion of mainland Chinese organizations — a university in Beijing and a Taiwanese electronics company's China-based operations — among confirmed victims. ESET researchers noted they could not determine the purpose of targeting organizations in mainland China, which is uncommon for a China-aligned actor. Possible explanations include collection against foreign-linked employees, monitoring of politically sensitive research, or targeting individuals connected to the Taiwanese firm's China operations.

global reach by design

ESET's researcher Facundo Muñoz stated explicitly that PlushDaemon's adversary-in-the-middle capabilities are strong enough to compromise targets anywhere in the world. The group does not need to find and exploit a target's systems directly — it only needs to compromise a network device in the path of that target's traffic, which can be anywhere on the route from the target's device to the internet. Combined with targeting of popular Chinese software used globally (Sogou Pinyin, Baidu Netdisk, Tencent QQ, WPS Office), the attack surface is genuinely worldwide.

Target Profile

PlushDaemon's confirmed victim set spans individuals and organizations in seven countries across East Asia, Southeast Asia, and the Western Pacific, plus the United States. The profile is consistent with Chinese state intelligence collection priorities: semiconductor and electronics manufacturers, academic institutions, software developers in technologically sensitive sectors, and automotive industry operations — all of which represent strategic economic and technical intelligence targets for Beijing.

  • South Korean technology sector: The IPany supply chain attack targeted users at a South Korean semiconductor company and an unidentified software development firm — both sectors of acute strategic interest given South Korea's role in global chip manufacturing. South Korea has featured consistently in confirmed PlushDaemon victim telemetry since at least 2019.
  • Taiwan: A Taiwanese electronics manufacturer is among confirmed victims via the update hijacking chain. Taiwan's electronics and semiconductor industries represent one of the highest-value intelligence collection targets for Chinese state actors, given their role in global technology supply chains.
  • United States: Confirmed in ESET telemetry as a target country since at least 2019, though specific US victim organizations have not been publicly named. The US-targeted operations are assessed to follow the same update-hijacking methodology targeting users of affected Chinese software products.
  • Cambodia — manufacturing and automotive: In 2025, ESET confirmed two Cambodia-based victims: a company in the automotive sector and a branch of a Japanese manufacturing company. This suggests PlushDaemon follows strategic industrial targets into Southeast Asian operations — tracking Japanese automotive supply chain presence even when the primary organization is Japan-headquartered.
  • Mainland China — academia and overseas-linked entities: A university in Beijing was confirmed among victims. While this is unusual for a China-aligned actor, it aligns with the possibility of monitoring individuals with foreign connections, politically sensitive research, or access to overseas networks of interest to Chinese intelligence.
  • Hong Kong and New Zealand: Both confirmed in ESET telemetry. Hong Kong targets are consistent with monitoring of pro-democracy figures and overseas-connected individuals. New Zealand targets likely reflect interest in Five Eyes-adjacent government and research entities.

Tactics, Techniques & Procedures

PlushDaemon's attack chain is architecturally distinct from conventional APT intrusion paths. The group does not directly compromise target endpoints — it compromises the network infrastructure targets route traffic through, then uses that position to deliver malicious updates transparently. A third documented initial access vector, noted by ESET researcher Facundo Muñoz, is exploitation of vulnerabilities in legitimate web servers: PlushDaemon abused an unidentified vulnerability in Apache HTTP Server at an organization in Hong Kong. TTPs sourced from ESET research (January 2025 and November 2025) mapped to MITRE ATT&CK v18.

mitre id technique description
T1190 Exploit Public-Facing Application — Apache HTTP Server ESET researcher Facundo Muñoz disclosed that PlushDaemon abused an unidentified vulnerability in Apache HTTP Server at an organization in Hong Kong, gaining initial access through the web server rather than through network device compromise or supply chain. This confirms a third distinct initial access vector alongside the EdgeStepper network device compromise and the IPany installer supply chain attack — the group adapts its entry point to whatever vulnerability is available at a given target.
T1584.008 Compromise Infrastructure: Network Devices PlushDaemon compromises routers and edge network devices via exploited software vulnerabilities or weak/default administrative credentials. The compromised device becomes the platform for EdgeStepper deployment. This stage requires no interaction with the target's own systems — only with shared network infrastructure the target uses.
T1195.002 Supply Chain Compromise: Compromise Software Supply Chain Used in the 2023 IPany VPN supply chain attack: PlushDaemon compromised the vendor's distribution platform and replaced the legitimate installer with a trojanized NSIS installer that deployed both the real VPN software and SlowStepper. The malicious installer was available from the official IPany website with no geofencing — any IPany user globally could have received the infected installer.
T1557 Adversary-in-the-Middle EdgeStepper's core function. The implant runs on a compromised network device and intercepts all DNS queries. When a query relates to a software update domain (Sogou Pinyin, Baidu Netdisk, Tencent QQ, WPS Office, and others), EdgeStepper replaces the legitimate update server's IP with a PlushDaemon-controlled IP, routing the update request to attacker infrastructure. The target's software receives and installs what it believes is a legitimate update.
T1071.004 Application Layer Protocol: DNS EdgeStepper uses iptables to redirect all UDP port 53 traffic to its own listener, then forwards DNS queries to a malicious external DNS server it controls. SlowStepper itself uses DNS for C2 — resolving TXT records from the domain 7051.gsm.360safe[.]company to obtain C2 server addresses, making C2 communications blend with legitimate DNS traffic.
T1105 Ingress Tool Transfer LittleDaemon (first-stage downloader) communicates with the hijacking node to retrieve DaemonicLogistics. DaemonicLogistics interprets HTTP status codes from the hijacked server as commands to download and install SlowStepper. The use of HTTP status codes as command signals is an unusual evasion technique — the download traffic appears as normal HTTP responses to a software update request.
T1547.001 Boot or Logon Autostart: Registry Run Keys SlowStepper establishes persistence on Windows hosts via registry run keys, ensuring execution on every system startup. Components are stored encrypted on disk between execution cycles to reduce static detection surface.
T1574.002 Hijack Execution Flow: DLL Side-Loading In the IPany supply chain attack, SlowStepper was loaded via DLL side-loading using a disguised image file (winlogin.gif) and a malicious DLL (lregdll.dll) — a technique that abuses legitimate Windows application loading behavior to execute malicious code without obvious process injection.
T1082 System Information Discovery SlowStepper collects extensive system information including running processes, registry contents, network configuration, and installed software. The backdoor implements a custom command shell on top of its C2 protocol, enabling interactive operator-written commands for targeted reconnaissance beyond automated collection.
T1539 Steal Web Session Cookie SlowStepper's Browser module collects data from web browsers including stored credentials, cookies, and session tokens. The getcode.mod and getcode64.mod components incorporate Mimikatz functionality for credential harvesting from Windows systems.
T1113 Screen Capture SlowStepper includes a screenshot capability as part of its surveillance toolkit. Combined with audio and video recording modules, the backdoor provides full ambient surveillance capability on compromised endpoints.
T1119 Automated Collection SlowStepper's Python and Go module toolkit enables automated collection across messaging applications (WeChat, Telegram), browsers, and the file system. Modules execute, send output and created files to the C2 server, and terminate — the operator can request specific collection without persistent module presence on disk.
T1070 Indicator Removal SlowStepper can remove its own files on command ("kill" command in the C2 protocol). Components are stored encrypted on disk. Signed modules (soc.mod, stoll.mod) abuse code-signing trust to reduce detection risk. DLL side-loading and encrypted component storage reduce the static malware footprint at rest.

Known Campaigns

Both publicly documented PlushDaemon campaigns were uncovered and reported exclusively by ESET. The group's long operational history since 2018 and methodical infrastructure-building suggest significantly more undisclosed activity across its target regions.

IPany VPN Supply Chain Attack 2023 (detected May 2024; reported January 2025)

PlushDaemon compromised the distribution infrastructure of IPany, a South Korean VPN provider, and replaced the legitimate installer with a trojanized NSIS Windows installer. The malicious installer (IPanyVPNsetup.zip) was available directly from the official IPany website at ipany[.]kr/download/IPanyVPNsetup.zip. When installed, it deployed both the functional VPN client and the SlowStepper backdoor. ESET found no geofencing in the download mechanism — any user downloading IPany during the compromise window was a potential victim. Via ESET telemetry, confirmed victims included a semiconductor company and an unidentified software development company operating in South Korea. The malicious installer was removed after ESET notified IPany. SlowStepper was loaded via DLL side-loading using winlogin.gif and lregdll.dll to evade detection.

EdgeStepper DNS Hijacking — Chinese Software Updates 2019 — ongoing (reported November 2025)

PlushDaemon's primary and ongoing attack methodology, documented by ESET in November 2025. The group compromises routers and edge network devices accessible to targets — via unpatched vulnerabilities or default credentials — and deploys the EdgeStepper implant (internally named dns_cheat_v2 by PlushDaemon developers). EdgeStepper intercepts all DNS queries on the device using iptables rules redirecting UDP port 53 traffic, then selectively hijacks queries to update domains of popular Chinese software: Sogou Pinyin input method, Baidu Netdisk, Tencent QQ, and WPS Office. Hijacked queries receive a PlushDaemon-controlled IP in response. The target software performs what it believes is a routine update, receives LittleDaemon, which fetches DaemonicLogistics, which installs SlowStepper. Confirmed victims span China, Taiwan, Cambodia, South Korea, the United States, Hong Kong, and New Zealand from 2019 through 2025.

Cambodia Manufacturing Targeting 2025

ESET confirmed two Cambodia-based victims in 2025 via the EdgeStepper update-hijacking chain: a company in the automotive sector and a branch of a Japanese manufacturing company. The Japan-headquartered parent company adds an international supply chain dimension — PlushDaemon is tracking strategic industrial targets across Southeast Asian operational footprints, not just headquarters locations. This is consistent with broader Chinese intelligence collection priorities targeting automotive and precision manufacturing technology.

Tools & Malware

  • EdgeStepper (network implant): A Golang ELF binary deployed on compromised routers and network devices. Internally named dns_cheat_v2 by PlushDaemon developers. Uses iptables to redirect all UDP port 53 traffic to itself, then selectively hijacks DNS responses to software update domains, replacing legitimate server IPs with PlushDaemon-controlled IPs. Acts as either a DNS node, a hijacking node, or both depending on configuration. Removes its iptables rules cleanly on termination. First documented by ESET in November 2025.
  • LittleDaemon (first-stage downloader): Available as both DLL and EXE (both 32-bit PEs). Deployed on victim machines via the hijacked update channel. Checks whether SlowStepper is already running; if not, communicates with the hijacking node to retrieve DaemonicLogistics. Does not establish persistence — it is transient by design, functioning only as a staging relay.
  • DaemonicLogistics (second-stage downloader): Interprets HTTP status codes from the hijacking node as operational commands to download and install SlowStepper. The use of standard HTTP status codes as a covert command channel is an effective evasion technique — the traffic is indistinguishable from normal update server communication to network monitoring tools looking for explicit C2 patterns.
  • SlowStepper (primary backdoor): PlushDaemon's signature implant, used exclusively by this group. A modular C++/Python/Go backdoor with 30+ components as of the most recently analyzed version (0.2.12, compiled June 2024). C2 uses DNS TXT record resolution to obtain server addresses, routing queries through legitimate public DNS (114.114.114.114) to obtain records for 7051.gsm.360safe[.]company. Fallback C2 via gethostbyname against st.360safe[.]company. Supports a custom interactive shell mode on top of the standard C2 protocol. Components stored encrypted on disk. Capabilities: browser credential theft, cookie and session data collection, screenshot capture, audio and video recording, file system enumeration, WeChat and Telegram message collection, keylogging, Mimikatz-based Windows credential harvesting (via getcode.mod / getcode64.mod), registry queries, process enumeration, and self-removal on operator command. Module code repository hosted on Chinese platform GitCode under account LetMeGo22 (private as of ESET's reporting).
  • Mimikatz (via getcode.mod / getcode64.mod): Standard Windows credential dumping tool incorporated into SlowStepper's module toolkit, used for harvesting plaintext credentials and hashes from Windows memory.

Indicators of Compromise

ESET maintains a comprehensive IOC repository on GitHub covering both the January 2025 (IPany supply chain) and November 2025 (EdgeStepper network implant) disclosures. The full set of file hashes, IP addresses, and domains is available there and should be the primary reference for operational use.

warning

PlushDaemon infrastructure rotates and the GitHub IOC repository should be treated as the authoritative and most current source. Network IOCs (IPs, C2 domains) exposed in public reporting are likely already burned. Behavioral and structural IOCs below have longer operational lives.

indicators of compromise — PlushDaemon (structural and behavioral)
c2 pattern DNS TXT record queries to 7051.gsm.360safe[.]company — SlowStepper primary C2 resolution method; fallback to st.360safe[.]company via gethostbyname
network behavior EdgeStepper iptables rules: redirect UDP/53 to internal port; accept packets on redirect port — detectable via router config audit
file winlogin.gif — disguised image file used in DLL side-loading chain (IPany campaign); lregdll.dll — malicious DLL in side-loading pair
file pattern SlowStepper components stored encrypted on disk; signed modules soc.mod and stoll.mod — code-signed to abuse trust
supply chain ipany[.]kr/download/IPanyVPNsetup.zip — trojanized installer URL (historical; malicious version removed after ESET notification)
behavior Registry run key persistence for SlowStepper across reboots — monitor for unexpected run key entries pointing to non-standard DLL/EXE paths
gitcode LetMeGo22 account on GitCode (Chinese platform) — SlowStepper Python module repository (private at time of ESET reporting)
hashes Full file hash tables in ESET GitHub IOC repository — covers both January 2025 (supply chain) and November 2025 (EdgeStepper) disclosures

Mitigation & Defense

PlushDaemon's attack chain has a clear and accessible weakest link: the network device compromise that enables EdgeStepper deployment. ESET's researcher stated directly that fixing this stage breaks the entire chain before the group's more sophisticated techniques come into play.

  • Audit and harden all network edge devices: Routers, switches, firewalls, and any device handling traffic ingress and egress should have default credentials changed immediately, firmware updated to the latest patched version, and administrative interfaces restricted to internal management networks only. This is the single most impactful control against PlushDaemon — a hardened router cannot be converted into an EdgeStepper host.
  • Disable or restrict administrative access to edge devices from the internet: EdgeStepper deployment requires the attacker to gain administrative access to a network device. Remote admin interfaces (SSH, web management consoles, SNMP) exposed to the internet dramatically increase exposure. Restrict management access to trusted internal IP ranges or dedicated out-of-band management networks.
  • Monitor router configurations for unexpected iptables rules: EdgeStepper installs iptables rules redirecting UDP port 53 traffic. Periodic automated config audits of managed network devices — checking for unexpected NAT PREROUTING rules or port redirect entries — can detect EdgeStepper presence before the update hijacking chain executes.
  • Verify software update integrity with code signing: Organizations that use Sogou Pinyin, Baidu Netdisk, Tencent QQ, or WPS Office should verify that update packages carry valid publisher signatures matching the expected certificate before installation. Automated software deployment tools should enforce signature verification and reject unsigned or anomalously signed packages.
  • Monitor DNS traffic for anomalous resolution patterns: SlowStepper's C2 uses DNS TXT record resolution to 360safe[.]company subdomains. DNS query logging with alerting on TXT record queries to unexpected or unusual domains — particularly those not matching known legitimate services — can surface SlowStepper C2 activity. DNS-over-HTTPS adoption on endpoints also removes EdgeStepper's ability to intercept plaintext DNS queries.
  • Treat DLL side-loading patterns as high-priority alerts: The winlogin.gif + lregdll.dll side-loading chain used in the IPany campaign is detectable via EDR behavioral rules monitoring for image files loaded as DLLs or unexpected DLL loads from non-standard paths. Process ancestry rules (legitimate software loading an unexpected DLL from its install directory) catch this class of technique reliably.
  • Include router/network device audits in third-party risk assessments: PlushDaemon's technique works against any network device in the path of traffic — including those operated by ISPs, managed service providers, or co-location facilities. Organizations handling sensitive data should assess whether network infrastructure managed by third parties meets the same hardening standards as internally managed devices.
analyst note — broader AitM trend

PlushDaemon is one of at least ten China-aligned APT groups ESET tracks as actively using update-hijacking adversary-in-the-middle techniques for initial access. LuoYu, Evasive Panda, BlackTech, TheWizards APT, Blackwood, and FontGoblin are among the documented peers using similar approaches. This is not an isolated PlushDaemon behavior — it reflects a broader shift in Chinese APT tradecraft toward infrastructure-layer compromise as a scalable and durable initial access methodology. Network device hygiene is therefore a systemic priority, not a PlushDaemon-specific mitigation.

Sources & Further Reading

— end of profile — last updated 2026-03-26