Chinese espionage crews quietly refine their tactics while defenders chase more obvious firestorms. In this case, a group that researchers track as 𝐏𝐥𝐮𝐬𝐡𝐃𝐚𝐞𝐦𝐨𝐧 built a long-running operation around 𝐂𝐡𝐢𝐧𝐞𝐬𝐞 𝐀𝐏𝐓 𝐫𝐨𝐮𝐭𝐞𝐫 𝐡𝐢𝐣𝐚𝐜𝐤𝐢𝐧𝐠: they compromise edge devices, intercept software-update traffic, and quietly swap trusted installers for espionage payloads. ESET’s research shows activity stretching back to at least 2018, with victims in mainland China, Hong Kong, Taiwan, Cambodia, New Zealand, and the United States.
Because the group focuses on routers and other network gear rather than endpoints, defenders often miss the first stage entirely. However, once PlushDaemon controls a router, it can sit in the path of every DNS lookup, watch for specific software updaters, and redirect those requests into its own supply-chain trap. As a result, trusted update workflows quietly deliver the group’s custom espionage toolkit instead of legitimate patches.
𝐂𝐡𝐢𝐧𝐞𝐬𝐞 𝐀𝐏𝐓 𝐫𝐨𝐮𝐭𝐞𝐫 𝐡𝐢𝐣𝐚𝐜𝐤𝐢𝐧𝐠: 𝐭𝐡𝐞 𝐛𝐚𝐬𝐢𝐜 𝐩𝐥𝐚𝐲
PlushDaemon does not start with software vendors; it starts with the network devices that sit between users and the internet. According to ESET, the group targets routers and similar appliances that sit on the edge of victim networks, and it gains that foothold either by exploiting firmware vulnerabilities or by logging in with weak and default administrative credentials.
Once the operators control a router, they deploy a Go-based implant that ESET named 𝐄𝐝𝐠𝐞𝐒𝐭𝐞𝐩𝐩𝐞𝐫. Because EdgeStepper runs on MIPS-class hardware and similar platforms, it fits neatly into the consumer and enterprise router ecosystem. The implant intercepts every DNS query that crosses the device and forwards those queries to a malicious DNS server under PlushDaemon’s control. That external DNS node then decides whether the requested domain looks like a software-update endpoint and, if so, returns an attacker-controlled IP address instead of the legitimate one.
Consequently, victims keep using their normal applications, yet the “update check” they trust now walks straight into PlushDaemon’s infrastructure. The user never sees an exploit window or a fake installer prompt; they simply receive a tampered update from what looks like the right place.
𝐇𝐨𝐰 𝐄𝐝𝐠𝐞𝐒𝐭𝐞𝐩𝐩𝐞𝐫 𝐭𝐮𝐫𝐧𝐬 𝐮𝐩𝐝𝐚𝐭𝐞 𝐭𝐫𝐚𝐟𝐟𝐢𝐜 𝐢𝐧𝐭𝐨 𝐚𝐧 𝐀𝐢𝐭𝐌 𝐜𝐡𝐚𝐢𝐧
Because EdgeStepper redirects DNS traffic, PlushDaemon can cherry-pick which applications it wants to abuse. ESET’s public reporting highlights several popular Chinese-language products: Sogou Pinyin input software, Baidu Netdisk cloud storage, Tencent QQ messaging, and WPS Office.
When one of those clients asks for an update server, EdgeStepper steers the query toward a malicious DNS node. That node resolves the domain to a hijacking server that delivers a staged malware sequence. In ESET’s lab work, that sequence started with downloaders dubbed 𝐋𝐢𝐭𝐭𝐥𝐞𝐃𝐚𝐞𝐦𝐨𝐧 and 𝐃𝐚𝐞𝐦𝐨𝐧𝐢𝐜𝐋𝐨𝐠𝐢𝐬𝐭𝐢𝐜𝐬 and ended with a full-featured backdoor named 𝐒𝐥𝐨𝐰𝐒𝐭𝐞𝐩𝐩𝐞𝐫 on victim Windows systems.
Because these components arrive through the same channels that normally deliver updates, endpoint users and many security tools treat the traffic as expected background noise. Therefore, the adversary enjoys a high-trust path straight into sensitive desktops and servers without any exotic exploit chains. In practice, that pattern matches a broader trend in Chinese APT operations: use network edge devices as quiet man-in-the-middle platforms and then pivot into more traditional espionage tooling.
𝐖𝐡𝐚𝐭 𝐒𝐥𝐨𝐰𝐒𝐭𝐞𝐩𝐩𝐞𝐫 𝐝𝐨𝐞𝐬 𝐨𝐧𝐜𝐞 𝐢𝐭 𝐥𝐚𝐧𝐝𝐬
Researchers describe SlowStepper as a modular espionage backdoor with dozens of components. After installation, it can harvest system information, collect browser data and cookies, pull documents, and interact with messaging platforms such as WeChat.
Because the operators route update traffic only for specific software families, they effectively pre-filter their victim pool. Targets that run Sogou Pinyin, Baidu Netdisk, QQ, or WPS Office often belong to Chinese-speaking organizations or diaspora communities, which aligns with PlushDaemon’s targeting pattern. ESET’s victim list includes universities, electronics manufacturers, and other industrial organizations across East Asia and beyond, yet almost all of them rely on Chinese-language software stacks.
Therefore, the group gains both reach and precision: it can compromise routers anywhere in the world, yet it only triggers its adversary-in-the-middle chain when upstream software behavior suggests a Chinese-centric environment. That combination keeps noise low and helps PlushDaemon stay under the radar for years.
𝐖𝐡𝐲 𝐏𝐥𝐮𝐬𝐡𝐃𝐚𝐞𝐦𝐨𝐧 𝐬𝐭𝐚𝐲𝐬 𝐬𝐨 𝐪𝐮𝐢𝐞𝐭
Threat-intel teams often focus on high-profile campaigns or global splash events, so a group that mostly hits domestic or regional Chinese targets naturally receives less attention. PlushDaemon appears to exploit that blind spot. ESET traces activity back to at least 2018, yet only a few public write-ups surfaced before this latest wave of research.
Because the operation leans heavily on Chinese consumer and enterprise software ecosystems, many victims sit inside environments that outsiders struggle to monitor. At the same time, the group hides behind behaviors that look routine: DNS resolution, router management, and software updates. In contrast, more visible Chinese APT activity around router hijacking such as BlackTech’s use of compromised routers as stealth infrastructure or recent campaigns like LapDogs and WrtHug that conscript tens of thousands of ASUS routers tends to attract wider coverage.
Nevertheless, PlushDaemon’s approach deserves attention because it blends that infrastructure play with a very specific software-update hijack and a well-maintained Windows espionage toolkit.
𝐇𝐨𝐰 𝐭𝐡𝐢𝐬 𝐟𝐢𝐭𝐬 𝐭𝐡𝐞 𝐛𝐢𝐠𝐠𝐞𝐫 𝐫𝐨𝐮𝐭𝐞𝐫-𝐟𝐨𝐜𝐮𝐬𝐞𝐝 𝐭𝐡𝐫𝐞𝐚𝐭 𝐥𝐚𝐧𝐝𝐬𝐜𝐚𝐩𝐞
Because routers often run for years with default passwords and unpatched firmware, Chinese APT router hijacking continues to gain traction across multiple campaigns. Other reporting this year already highlighted China-linked operations that backdoor carrier-grade routers, build covert relay networks out of SOHO gear, and hijack tens of thousands of ASUS devices in an operation dubbed WrtHug.
At the same time, strategic intelligence reports and government advisories keep warning that Chinese state-aligned actors increasingly treat network edge devices as long-term collection platforms. CISA’s guidance on China-linked router campaigns and ENISA’s threat-landscape work both underline that trend.
PlushDaemon simply pushes the idea further: it does not stop at using routers as launchpads or relays; instead, it rewires software-update flows to position its malware where defenders assume the highest level of trust. Because secure-update design sits at the core of modern software-supply-chain security, this router-centric twist matters far beyond one APT brand name.
𝐏𝐫𝐚𝐜𝐭𝐢𝐜𝐚𝐥 𝐝𝐞𝐟𝐞𝐧𝐬𝐞 𝐬𝐭𝐞𝐩𝐬 𝐚𝐠𝐚𝐢𝐧𝐬𝐭 𝐫𝐨𝐮𝐭𝐞𝐫-𝐥𝐞𝐝 𝐬𝐨𝐟𝐭𝐰𝐚𝐫𝐞-𝐮𝐩𝐝𝐚𝐭𝐞 𝐡𝐢𝐣𝐚𝐜𝐤𝐬
Security teams cannot treat routers and similar network devices as “set-and-forget” appliances any longer. Instead, they need controls that treat those boxes as high-value assets with direct influence over software-supply-chain integrity.
Because PlushDaemon leans on weak credentials and unpatched firmware, defenders should first inventory which routers, VPN gateways, and firewalls sit inside their perimeter and which of those still run outdated code or default passwords. Then they should prioritize patching, credential rotation, and replacement of end-of-life models, especially in regions and sectors that overlap with PlushDaemon’s known targeting.
Meanwhile, organizations that ship software updates to customers should verify that their update mechanisms tolerate adversary-in-the-middle scenarios on the customer side. That means deploying signed updates, enforcing signature checks, and monitoring for anomalies in update traffic that might indicate DNS tampering or unexpected relay nodes.
In addition, defenders can:
• Monitor DNS patterns around critical update domains and alert when traffic suddenly routes through unfamiliar resolvers.
• Correlate suspicious router logs unexpected reboots, configuration changes, new processes with endpoint telemetry to spot early EdgeStepper-style activity.
• Fold router integrity checks and DNS-resolver baselining into regular threat-hunting cycles.
Because Chinese APT router hijacking no longer stays theoretical, blue teams need a playbook that covers update-path abuse through compromised infrastructure, not just traditional supply-chain tampering at the vendor’s side.
𝐖𝐡𝐚𝐭 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐥𝐞𝐚𝐝𝐞𝐫𝐬 𝐬𝐡𝐨𝐮𝐥𝐝 𝐭𝐚𝐤𝐞 𝐚𝐰𝐚𝐲
PlushDaemon’s EdgeStepper and SlowStepper campaign shows how quietly an APT can run when it focuses on routers, DNS, and trusted update flows instead of flashy zero-days. Because the group targets widely used Chinese-language software and primarily Chinese organizations, many global defenders only now notice its tactics; however, the technical pattern absolutely translates to other regions and vendor ecosystems.
Therefore, security leaders should treat router-centric update hijacks as part of their core supply-chain threat model. They should push networking and infrastructure teams to own router hygiene, ensure software teams harden update channels against adversary-in-the-middle attacks, and require incident responders to investigate edge devices whenever they see suspicious update behavior.
If organizations close that gap, PlushDaemon’s playbook loses much of its power. If they ignore it, Chinese APT router hijacking campaigns will keep turning mundane update traffic into a low-friction espionage channel that hardly anyone watches.
FAQs
Q1: Who is PlushDaemon and how does this Chinese APT operate?
PlushDaemon is a China-aligned advanced persistent threat group that security researchers have tracked since at least 2018. The group compromises routers and other network devices, deploys an implant called EdgeStepper.
Q2: How does EdgeStepper enable software-update hijacking on routers?
EdgeStepper runs on compromised network devices and redirects all DNS queries to an external malicious DNS node. That node checks whether the requested domain belongs to a software-update service and, if so, responds with the IP address of an attacker-controlled hijacking server. The hijacking server then serves staged malware instead of legitimate updates.
Q3: Which organizations face the highest risk from this Chinese APT router hijacking campaign?
ESET reporting highlights victims in mainland China, Hong Kong, Taiwan, Cambodia, New Zealand, and the United States, including universities and manufacturing firms. Any organization that relies on vulnerable routers and uses the affected software families such as Sogou Pinyin, Baidu Netdisk, Tencent QQ, or WPS Office sits inside the likely target profile.
Q4: Why does this technique matter beyond Chinese software ecosystems?
The core technique compromising routers, deploying an implant, and hijacking software updates does not depend on Chinese-language applications. Other APTs can reuse the same pattern against different vendors and regions. That risk aligns with broader warnings about nation-state groups exploiting edge devices and software-update channels as part of their supply-chain arsenal.
Q5: What can defenders do right now against router-based software-update hijacks?
Defenders can harden routers by patching firmware, eliminating default passwords, and replacing end-of-life hardware. They should also enforce signed updates with strict signature verification, monitor DNS behavior around update domains.
