Skip to main content

On This Page
← AI News
AI News Cybersecurity Malware

EdgeStepper Implant Hijacks DNS to Deploy SlowStepper Malware

2 min read
Share

These articles are AI-generated summaries. Please check the original sources for full details.

EdgeStepper Implant Reroutes DNS Queries to Deploy Malware via Hijacked Software Updates

The threat actor PlushDaemon is utilizing a new Go-based backdoor called EdgeStepper to perform adversary-in-the-middle (AitM) attacks. This implant redirects all DNS queries to attacker-controlled servers, allowing the hijacking of software updates and the deployment of the SlowStepper malware.

Why This Matters

Current network security models often assume DNS resolution is trustworthy, focusing on endpoint protection. This attack demonstrates a critical vulnerability in that assumption, allowing attackers to bypass traditional defenses by compromising edge network devices and manipulating DNS traffic. Successfully hijacking software updates can compromise entire networks, with potential costs reaching millions in remediation and lost productivity.

Key Insights

  • PlushDaemon Activity: Active since at least 2018, targeting entities across Asia and the US.
  • AitM Poisoning: Increasingly popular technique among China-affiliated APT groups (LuoYu, Evasive Panda, BlackTech, etc.).
  • SlowStepper Features: Includes extensive capabilities for data exfiltration, credential theft, and persistence.

Working Example

// Simplified example of DNS query redirection (conceptual)
package main

import (
	"fmt"
	"net"
)

func main() {
	// Attacker-controlled DNS server IP
	attackerIP := net.ParseIP("10.0.0.1")

	// Function to intercept and modify DNS queries
	// (In reality, this would involve packet manipulation at the network level)
	modifyDNSQuery := func(query string) string {
		fmt.Printf("Intercepted DNS query: %s\n", query)
		fmt.Printf("Redirecting to attacker's DNS server: %s\n", attackerIP)
		return attackerIP.String()
	}

	// Example usage:
	originalQuery := "example.com"
	modifiedIP := modifyDNSQuery(originalQuery)

	fmt.Printf("Resolved IP address: %s\n", modifiedIP)
}

Practical Applications

  • Use Case: PlushDaemon targets software companies and supply chains to distribute SlowStepper through compromised updates.
  • Pitfall: Relying solely on endpoint security without robust DNS monitoring and edge network hardening leaves systems vulnerable to AitM attacks.

References:

Continue reading

Next article

Adviser: Simplified Cloud Compute with $100 Free Credit

Related Content

Nov 25, 2025

Hackers Hijack Blender 3D Assets to Deploy StealC V2 Data-Stealing Malware

A new campaign leverages malicious Blender .blend files on CGTrader to install StealC V2, stealing data from browsers, plugins, and crypto wallets.

Read article
Nov 25, 2025

JackFix Campaign Leverages Fake Windows Updates to Deploy Multiple Stealers

The JackFix campaign utilizes deceptive fake Windows update pop-ups on adult websites to deliver multi-stage PowerShell malware, resulting in potential data theft and system compromise.

Read article
Nov 26, 2025

RomCom Leverages SocGholish Fake Updates to Deploy Mythic Agent Malware

First observed use of SocGholish by RomCom in a U.S. engineering firm attack, blocked before escalation.

Read article