ESET researchers provide insights into how PlushDaemon conducts adversary-in-the-middle attacks using a previously undocumented network implant known as EdgeStepper. This implant redirects all DNS queries to a malicious hijacking node, effectively rerouting traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure.
Key points in this blogpost:
- We analyzed the network implant EdgeStepper to understand how PlushDaemon attackers compromise their targets.
- We provide an analysis of LittleDaemon and DaemonicLogistics, two downloaders that deploy the group’s signature SlowStepper backdoor on Windows machines.
PlushDaemon profile
PlushDaemon is a threat actor aligned with China, active since at least 2018, engaging in espionage operations against individuals and entities in various countries. They use a custom backdoor known as SlowStepper and employ EdgeStepper to hijack legitimate updates by redirecting traffic to attacker-controlled servers. Additionally, they have exploited vulnerabilities in web servers and conducted a supply-chain attack in 2023.
Overview
In 2024, during research on PlushDaemon’s activities, including a supply-chain compromise in South Korea, an ELF file submitted to VirusTotal contained subdomains from PlushDaemon’s infrastructure. This file, named bioset, was hosted on a likely compromised server. Internally named dns_cheat_v2, EdgeStepper (or bioset) forwards DNS traffic to a malicious DNS node, enabling the redirection of software update traffic to a malicious node.
Victimology
PlushDaemon has compromised individuals and organizations in various regions since 2019, redirecting software updates to malicious nodes. Victims include entities in the United States, Taiwan, China, Hong Kong, New Zealand, and Cambodia.
Adversary-in-the-middle attack overview
PlushDaemon compromises network devices to deploy EdgeStepper, which redirects DNS queries to a malicious node, intercepting software update traffic. This allows them to serve malicious updates to targeted systems, as illustrated in Figures 2 to 5.
EdgeStepper
Originally named dns_cheat_v2, EdgeStepper is developed in Go using the GoFrame framework and compiled for MIPS32 processors. It decrypts configuration data from /etc/bioset.conf using AES CBC encryption. The decrypted configuration includes details like the port and host information used for malicious activities.
The decrypted configuration specifies that the “toPort” parameter determines the port where EdgeStepper listens, and the “host” parameter specifies the domain that resolves to the IP address(es) of the DNS node for forwarding DNS query packets.
There is an unused configuration block in the EdgeStepper binary with the domain “test.dsc.wcsset[.]com” resolving to “47.242.198[.]250”, which was identified as the source of the malicious update. This domain still resolves to the same IP address at the time of writing.
After loading its configuration, EdgeStepper initializes the Distributor system and the Ruler system.
The Distributor system resolves the IP address(es) associated with the “host” domain and invokes the Ruler system to redirect traffic on port 53 to port 1090, acting as a DNS proxy.
The Ruler system uses the iptables command to redirect UDP traffic on port 53 to the port specified by “toPort” in the configuration. It also accepts packets on that port and removes the rules when terminating the attack.
LittleDaemon is the first stage deployed on the victim’s machine through hijacked updates, communicating with the hijacking node to obtain the DaemonicLogistics downloader. DaemonicLogistics is deployed to download and deploy the SlowStepper implant.
DaemonicLogistics interprets HTTP status codes from the hijacking node as commands, performing actions listed in Table 1. It communicates with the server using specific URLs and parameters, downloading files and executing commands based on the server’s responses. DaemonicLogistics initiated two requests to download the SlowStepper payload files. The first request was made to ime.sogou.com/update/file6.bdat, followed by a request to ime.sogou.com/update/file2.bdat.
The initial response from the server in both cases contained a distinct magic value:
- Upon receiving the first response, the magic value in hexadecimal format was
50 4B 03 04 0A 1B 2C 3D(PK\3\4\A\1B\2C\3C):○ DaemonicLogistics verifies that the first eight bytes of the received data match this magic value. If the condition is met, the data is saved to
%PROGRAMDATA%\Tencent\QQUpdateMgr\UpdateFiles\logo.gif. - In response to the second request, the magic value in hex was
47 49 46 38 39 61 10 10(GIF89a\10\10)○ In this case, DaemonicLogistics does not validate the specific magic value. When the previous magic value check fails, it proceeds to decrypt the data using XOR operations. The decrypted data includes files that are written to specified paths on the disk..
Conclusion
We delved into the EdgeStepper network implant, which facilitates PlushDaemon’s adversary-in-the-middle tactics for intercepting updates within a targeted network. Additionally, we scrutinized the LittleDaemon and DaemonicLogistics tools, working in tandem to deploy the SlowStepper implant on Windows systems. These implants empower PlushDaemon to compromise targets globally.
For further details regarding our research featured on WeLiveSecurity, reach out to us at threatintel@eset.com.ESET Research provides exclusive APT intelligence reports and data feeds. For inquiries about this service, explore the ESET Threat Intelligence page.
IoCs
You can access a comprehensive list of indicators of compromise and samples on our GitHub repository.
Files
| SHA-1 | Filename | ESET detection name | Description |
8F569641691ECB3888CD4C11932A5B8E13F04B07 |
bioset |
Linux/Agent.AEP | EdgeStepper. |
06177810D61A69F34091CC9689B813740D4C260F |
bioset.conf |
Win32/Rozena.BXX | Encrypted configuration for EdgeStepper. |
69974455D8C13C5D57C1EE91E147FF9AED49AEBC |
popup_4.2.0.2246.dll |
Win32/Agent.AGXK | LittleDaemon. |
2857BC730952682D39F426D185769938E839A125 |
sogou_wubi_15.4.0.2508_0000.exe |
Win32/Agent.AFDT | LittleDaemon. |
Network
| IP | Domain | Hosting provider | First seen | Details |
8.212.132[.]120 |
ds20221202.dsc.wcsset[.]com |
Alibaba (US) Technology Co., Ltd. | 2024‑07‑12 | DNS/Hijacking node. |
47.242.198[.]250 |
test.dsc.wcsset[.]com |
Alibaba Cloud LLC | 2024‑07‑12 | DNS/Hijacking node. |
MITRE ATT&CK techniques
This table was constructed using version 18 of the MITRE ATT&CK framework.
| Tactic | ID | Name | Description |
| Resource Development | T1583.001 | Acquire Infrastructure: Domains | PlushDaemon leverages EdgeStepper to divert traffic to specific subdomains within the PlushDaemon infrastructure on wcsset[.]com. |
| T1583.002 | Acquire Infrastructure: DNS Server | Segments of the PlushDaemon infrastructure serve as hosts for its malicious DNS nodes. | |
| T1583.004 | Acquire Infrastructure: Server | PlushDaemon has procured servers for housing its DNS/hijacking nodes and C&C servers. | |
| T1608.001 | Stage Capabilities: Upload Malware | PlushDaemon hosts its payloads on DNS/hijacking servers. | |
| Initial Access | T1659 | Content Injection | Hijacked nodes from PlushDaemon intercept and respond to legitimate software with directives to download malware like LittleDaemon. |
| Execution | T1106 | Native API | DaemonicLogistics triggers the SlowStepper implant using the ShellExecute API. |
| Defense Evasion | T1070.004 | Indicator Removal: File Deletion | Certain variants of LittleDaemon can self-delete. |
| T1036.005 | Masquerading: Match Legitimate Name or Location | DaemonicLogistics establishes a subdirectory named Tencent to store its files. |
|
| T1036.008 | Masquerading: Masquerade File Type | DaemonicLogistics and the loader for SlowStepper decrypt files posing as ZIP and GIF formats. | |
| T1027.009 | Obfuscated Files or Information: Embedded Payloads | Files disguised as ZIPs and GIFs contain encrypted embedded components. | |
| T1027.013 | Obfuscated Files or Information: Encrypted/Encoded File | Elements of the SlowStepper implant are encrypted on the disk. | |
| Discovery | T1518.001 | Software Discovery: Security Software Discovery | DaemonicLogistics scans for the existence of 360tray.exe, a component of 360 Total Security. |
| T1016 | System Network Configuration Discovery | DaemonicLogistics tries to retrieve the MAC address of the ethernet or Wi-Fi adapter. | |
| T1057 | Process Discovery | DaemonicLogistics enumerates processes. | |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols | LittleDaemon and DaemonicLogistics utilize HTTP for communication with their server. |
| T1573 | Encrypted Channel | LittleDaemon fetches the encrypted DaemonicLogistics via HTTP, which in turn downloads the encrypted SlowStepper implant via HTTP. | |
| T1665 | Hide Infrastructure | LittleDaemon and DaemonicLogistics camouflage their downloads by sending HTTP requests to legitimate domains. |

