Chinese espionage crews quietly refine their tactics while defenders chase more obvious firestorms. In this case, a group that researchers track as ๐๐ฅ๐ฎ๐ฌ๐ก๐๐๐๐ฆ๐จ๐ง built a long-running operation around ๐๐ก๐ข๐ง๐๐ฌ๐ ๐๐๐ ๐ซ๐จ๐ฎ๐ญ๐๐ซ ๐ก๐ข๐ฃ๐๐๐ค๐ข๐ง๐ : they compromise edge devices, intercept software-update traffic, and quietly swap trusted installers for espionage payloads. ESETโs research shows activity stretching back to at least 2018, with victims in mainland China, Hong Kong, Taiwan, Cambodia, New Zealand, and the United States.
Because the group focuses on routers and other network gear rather than endpoints, defenders often miss the first stage entirely. However, once PlushDaemon controls a router, it can sit in the path of every DNS lookup, watch for specific software updaters, and redirect those requests into its own supply-chain trap. As a result, trusted update workflows quietly deliver the groupโs custom espionage toolkit instead of legitimate patches.
๐๐ก๐ข๐ง๐๐ฌ๐ ๐๐๐ ๐ซ๐จ๐ฎ๐ญ๐๐ซ ๐ก๐ข๐ฃ๐๐๐ค๐ข๐ง๐ : ๐ญ๐ก๐ ๐๐๐ฌ๐ข๐ ๐ฉ๐ฅ๐๐ฒ
PlushDaemon does not start with software vendors; it starts with the network devices that sit between users and the internet. According to ESET, the group targets routers and similar appliances that sit on the edge of victim networks, and it gains that foothold either by exploiting firmware vulnerabilities or by logging in with weak and default administrative credentials.
Once the operators control a router, they deploy a Go-based implant that ESET named ๐๐๐ ๐๐๐ญ๐๐ฉ๐ฉ๐๐ซ. Because EdgeStepper runs on MIPS-class hardware and similar platforms, it fits neatly into the consumer and enterprise router ecosystem. The implant intercepts every DNS query that crosses the device and forwards those queries to a malicious DNS server under PlushDaemonโs control. That external DNS node then decides whether the requested domain looks like a software-update endpoint and, if so, returns an attacker-controlled IP address instead of the legitimate one.
Consequently, victims keep using their normal applications, yet the โupdate checkโ they trust now walks straight into PlushDaemonโs infrastructure. The user never sees an exploit window or a fake installer prompt; they simply receive a tampered update from what looks like the right place.
๐๐จ๐ฐ ๐๐๐ ๐๐๐ญ๐๐ฉ๐ฉ๐๐ซ ๐ญ๐ฎ๐ซ๐ง๐ฌ ๐ฎ๐ฉ๐๐๐ญ๐ ๐ญ๐ซ๐๐๐๐ข๐ ๐ข๐ง๐ญ๐จ ๐๐ง ๐๐ข๐ญ๐ ๐๐ก๐๐ข๐ง
Because EdgeStepper redirects DNS traffic, PlushDaemon can cherry-pick which applications it wants to abuse. ESETโs public reporting highlights several popular Chinese-language products: Sogou Pinyin input software, Baidu Netdisk cloud storage, Tencent QQ messaging, and WPS Office.
When one of those clients asks for an update server, EdgeStepper steers the query toward a malicious DNS node. That node resolves the domain to a hijacking server that delivers a staged malware sequence. In ESETโs lab work, that sequence started with downloaders dubbed ๐๐ข๐ญ๐ญ๐ฅ๐๐๐๐๐ฆ๐จ๐ง and ๐๐๐๐ฆ๐จ๐ง๐ข๐๐๐จ๐ ๐ข๐ฌ๐ญ๐ข๐๐ฌ and ended with a full-featured backdoor named ๐๐ฅ๐จ๐ฐ๐๐ญ๐๐ฉ๐ฉ๐๐ซ on victim Windows systems.
Because these components arrive through the same channels that normally deliver updates, endpoint users and many security tools treat the traffic as expected background noise. Therefore, the adversary enjoys a high-trust path straight into sensitive desktops and servers without any exotic exploit chains. In practice, that pattern matches a broader trend in Chinese APT operations: use network edge devices as quiet man-in-the-middle platforms and then pivot into more traditional espionage tooling.
๐๐ก๐๐ญ ๐๐ฅ๐จ๐ฐ๐๐ญ๐๐ฉ๐ฉ๐๐ซ ๐๐จ๐๐ฌ ๐จ๐ง๐๐ ๐ข๐ญ ๐ฅ๐๐ง๐๐ฌ
Researchers describe SlowStepper as a modular espionage backdoor with dozens of components. After installation, it can harvest system information, collect browser data and cookies, pull documents, and interact with messaging platforms such as WeChat.
Because the operators route update traffic only for specific software families, they effectively pre-filter their victim pool. Targets that run Sogou Pinyin, Baidu Netdisk, QQ, or WPS Office often belong to Chinese-speaking organizations or diaspora communities, which aligns with PlushDaemonโs targeting pattern. ESETโs victim list includes universities, electronics manufacturers, and other industrial organizations across East Asia and beyond, yet almost all of them rely on Chinese-language software stacks.
Therefore, the group gains both reach and precision: it can compromise routers anywhere in the world, yet it only triggers its adversary-in-the-middle chain when upstream software behavior suggests a Chinese-centric environment. That combination keeps noise low and helps PlushDaemon stay under the radar for years.
๐๐ก๐ฒ ๐๐ฅ๐ฎ๐ฌ๐ก๐๐๐๐ฆ๐จ๐ง ๐ฌ๐ญ๐๐ฒ๐ฌ ๐ฌ๐จ ๐ช๐ฎ๐ข๐๐ญ
Threat-intel teams often focus on high-profile campaigns or global splash events, so a group that mostly hits domestic or regional Chinese targets naturally receives less attention. PlushDaemon appears to exploit that blind spot. ESET traces activity back to at least 2018, yet only a few public write-ups surfaced before this latest wave of research.
Because the operation leans heavily on Chinese consumer and enterprise software ecosystems, many victims sit inside environments that outsiders struggle to monitor. At the same time, the group hides behind behaviors that look routine: DNS resolution, router management, and software updates. In contrast, more visible Chinese APT activity around router hijacking such as BlackTechโs use of compromised routers as stealth infrastructure or recent campaigns like LapDogs and WrtHug that conscript tens of thousands of ASUS routers tends to attract wider coverage.
Nevertheless, PlushDaemonโs approach deserves attention because it blends that infrastructure play with a very specific software-update hijack and a well-maintained Windows espionage toolkit.
๐๐จ๐ฐ ๐ญ๐ก๐ข๐ฌ ๐๐ข๐ญ๐ฌ ๐ญ๐ก๐ ๐๐ข๐ ๐ ๐๐ซ ๐ซ๐จ๐ฎ๐ญ๐๐ซ-๐๐จ๐๐ฎ๐ฌ๐๐ ๐ญ๐ก๐ซ๐๐๐ญ ๐ฅ๐๐ง๐๐ฌ๐๐๐ฉ๐
Because routers often run for years with default passwords and unpatched firmware, Chinese APT router hijacking continues to gain traction across multiple campaigns. Other reporting this year already highlighted China-linked operations that backdoor carrier-grade routers, build covert relay networks out of SOHO gear, and hijack tens of thousands of ASUS devices in an operation dubbed WrtHug.
At the same time, strategic intelligence reports and government advisories keep warning that Chinese state-aligned actors increasingly treat network edge devices as long-term collection platforms. CISAโs guidance on China-linked router campaigns and ENISAโs threat-landscape work both underline that trend.
PlushDaemon simply pushes the idea further: it does not stop at using routers as launchpads or relays; instead, it rewires software-update flows to position its malware where defenders assume the highest level of trust. Because secure-update design sits at the core of modern software-supply-chain security, this router-centric twist matters far beyond one APT brand name.
๐๐ซ๐๐๐ญ๐ข๐๐๐ฅ ๐๐๐๐๐ง๐ฌ๐ ๐ฌ๐ญ๐๐ฉ๐ฌ ๐๐ ๐๐ข๐ง๐ฌ๐ญ ๐ซ๐จ๐ฎ๐ญ๐๐ซ-๐ฅ๐๐ ๐ฌ๐จ๐๐ญ๐ฐ๐๐ซ๐-๐ฎ๐ฉ๐๐๐ญ๐ ๐ก๐ข๐ฃ๐๐๐ค๐ฌ
Security teams cannot treat routers and similar network devices as โset-and-forgetโ appliances any longer. Instead, they need controls that treat those boxes as high-value assets with direct influence over software-supply-chain integrity.
Because PlushDaemon leans on weak credentials and unpatched firmware, defenders should first inventory which routers, VPN gateways, and firewalls sit inside their perimeter and which of those still run outdated code or default passwords. Then they should prioritize patching, credential rotation, and replacement of end-of-life models, especially in regions and sectors that overlap with PlushDaemonโs known targeting.
Meanwhile, organizations that ship software updates to customers should verify that their update mechanisms tolerate adversary-in-the-middle scenarios on the customer side. That means deploying signed updates, enforcing signature checks, and monitoring for anomalies in update traffic that might indicate DNS tampering or unexpected relay nodes.
In addition, defenders can:
โข Monitor DNS patterns around critical update domains and alert when traffic suddenly routes through unfamiliar resolvers.
โข Correlate suspicious router logs unexpected reboots, configuration changes, new processes with endpoint telemetry to spot early EdgeStepper-style activity.
โข Fold router integrity checks and DNS-resolver baselining into regular threat-hunting cycles.
Because Chinese APT router hijacking no longer stays theoretical, blue teams need a playbook that covers update-path abuse through compromised infrastructure, not just traditional supply-chain tampering at the vendorโs side.
๐๐ก๐๐ญ ๐ฌ๐๐๐ฎ๐ซ๐ข๐ญ๐ฒ ๐ฅ๐๐๐๐๐ซ๐ฌ ๐ฌ๐ก๐จ๐ฎ๐ฅ๐ ๐ญ๐๐ค๐ ๐๐ฐ๐๐ฒ
PlushDaemonโs EdgeStepper and SlowStepper campaign shows how quietly an APT can run when it focuses on routers, DNS, and trusted update flows instead of flashy zero-days. Because the group targets widely used Chinese-language software and primarily Chinese organizations, many global defenders only now notice its tactics; however, the technical pattern absolutely translates to other regions and vendor ecosystems.
Therefore, security leaders should treat router-centric update hijacks as part of their core supply-chain threat model. They should push networking and infrastructure teams to own router hygiene, ensure software teams harden update channels against adversary-in-the-middle attacks, and require incident responders to investigate edge devices whenever they see suspicious update behavior.
If organizations close that gap, PlushDaemonโs playbook loses much of its power. If they ignore it, Chinese APT router hijacking campaigns will keep turning mundane update traffic into a low-friction espionage channel that hardly anyone watches.
FAQs
Q1: Who is PlushDaemon and how does this Chinese APT operate?
PlushDaemon is a China-aligned advanced persistent threat group that security researchers have tracked since at least 2018. The group compromises routers and other network devices, deploys an implant called EdgeStepper.
Q2: How does EdgeStepper enable software-update hijacking on routers?
EdgeStepper runs on compromised network devices and redirects all DNS queries to an external malicious DNS node. That node checks whether the requested domain belongs to a software-update service and, if so, responds with the IP address of an attacker-controlled hijacking server. The hijacking server then serves staged malware instead of legitimate updates.
Q3: Which organizations face the highest risk from this Chinese APT router hijacking campaign?
ESET reporting highlights victims in mainland China, Hong Kong, Taiwan, Cambodia, New Zealand, and the United States, including universities and manufacturing firms. Any organization that relies on vulnerable routers and uses the affected software families such as Sogou Pinyin, Baidu Netdisk, Tencent QQ, or WPS Office sits inside the likely target profile.
Q4: Why does this technique matter beyond Chinese software ecosystems?
The core technique compromising routers, deploying an implant, and hijacking software updates does not depend on Chinese-language applications. Other APTs can reuse the same pattern against different vendors and regions. That risk aligns with broader warnings about nation-state groups exploiting edge devices and software-update channels as part of their supply-chain arsenal.
Q5: What can defenders do right now against router-based software-update hijacks?
Defenders can harden routers by patching firmware, eliminating default passwords, and replacing end-of-life hardware. They should also enforce signed updates with strict signature verification, monitor DNS behavior around update domains.
One thought on “Chinese PlushDaemon APT Turns Routers into Software Traps”