The Reveal Platform
Intel Name: Plushdaemon compromises network devices for adversary-in-the-middle attacks
Date of Scan: November 24, 2025
Impact: Medium
Summary: PlushDaemon is a China-aligned espionage group active since at least 2018, targeting entities in China, Taiwan, Hong Kong, Cambodia, South Korea, the United States, and New Zealand. The group uses its custom backdoor SlowStepper and primarily gains initial access by hijacking legitimate software updates through its network implant EdgeStepper, while also exploiting web-server vulnerabilities and conducting a 2023 supply-chain attack. PlushDaemon compromises network devices to perform adversary-in-the-middle attacks using EdgeStepper (internally dns_cheat_v2), which intercepts and forwards DNS traffic to malicious DNS nodes; this enables the attackers to redirect legitimate update requests to attacker-controlled servers, deliver malicious updates, and deploy SlowStepper to support broader espionage operations.
