Tech »  Topic »  PlushDaemon compromises network devices for adversary-in-the-middle attacks

PlushDaemon compromises network devices for adversary-in-the-middle attacks

an hour ago   welivesecurity.com

ESET researchers provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant that we have named EdgeStepper, which redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure.

Key points in this blogpost:

  • We analyzed the network implant EdgeStepper to understand how PlushDaemon attackers compromise their targets.
  • We provide an analysis of LittleDaemon and DaemonicLogistics, two downloaders that deploy the group’s signature SlowStepper backdoor on Windows machines.

PlushDaemon profile

PlushDaemon is a China-aligned threat actor active since at least 2018 that engages in espionage operations against individuals and entities in China, Taiwan, Hong Kong, Cambodia, South Korea, the United States, and New Zealand. PlushDaemon uses a custom backdoor that we track as SlowStepper, and its main initial access technique is to hijack legitimate updates by redirecting traffic to attacker-controlled servers through ...


Copyright of this story solely belongs to welivesecurity.com . To see the full text click HERE