Chinese APT Infects Routers to Hijack Software Updates TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsEndpoint SecurityChinese APT Infects Routers to Hijack Software UpdatesChinese APT Infects Routers to Hijack Software UpdatesbyNate Nelson, Contributing WriterNov 20, 20253 Min ReadThreat Intelligence'Matrix Push' C2 Tool Hijacks Browser Notifications'Matrix Push' C2 Tool Hijacks Browser NotificationsbyNate Nelson, Contributing WriterNov 20, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllEndpoint SecurityChinese APT Infects Routers to Hijack Software UpdatesChinese APT Infects Routers to Hijack Software UpdatesbyNate Nelson, Contributing WriterNov 20, 20253 Min ReadCyberattacks & Data BreachesCoyote, Maverick Banking Trojans Run Rampant in BrazilCoyote, Maverick Banking Trojans Run Rampant in BrazilbyAlexander CulafiNov 13, 20254 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryEndpoint SecurityThreat IntelligenceCyberattacks & Data BreachesApplication SecurityNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa, and Asia Pacific.Chinese APT Infects Routers to Hijack Software UpdatesA unique take on the software update gambit has allowed "PlushDaemon" to evade attention as it mostly targets Chinese organizations.Nate Nelson, Contributing WriterNovember 20, 20253 Min ReadSource: Michal Boubin via Alamy Stock PhotoFor more than half a decade now, a Chinese state-aligned threat actor has been spying on Chinese organizations by infecting their trusted software updates.When the SolarWinds breach was unearthed in 2020, it might have seemed like a uniquely devious event in cybersecurity history. But cyberattackers and cybersecurity researchers have been finding other, novel ways of poisoning software updates since then."PlushDaemon" is one such group that has quietly, for quite a while now, been taking its own approach to the update hijack. Like Chinese advanced persistent threats (APTs) often do, it infects organizations through their edge devices. But where most APTs use edge devices as initial entry points to deeper network compromise, researchers at ESET have found that PlushDaemon uses them in its own way. It hijacks network traffic using a specially designed implant, re-routes legitimate software update requests to its own infrastructure, and then serves victims malicious substitutes.Using Edge Devices to Deliver Malicious Software UpdatesPlushDaemon attacks don't start off all that uniquely. They simply have to infect a router or other similar device in the path of network ingress and egress, through some software vulnerability or by exploiting guessable or default administrative credentials. If it can get in, it will deploy its signature malware, "EdgeStepper."Related:Phishing Tool Uses Smart Redirects to Bypass DetectionEdgeStepper was written in Go, compiled as an Executable and Linkable Format (ELF) file, and built specifically for MIPS32 processors. Though it has waned in recent years, MIPS was close to ubiquitous in the 2000s and 2010s, and remains popular in the routers and other Internet of things (IoT) devices that PlushDaemon weaponizes.EdgeStepper sits between a victim and the websites they intend to reach. When a victim makes a domain name system (DNS) query, the malware — sitting on the edge of their network — intercepts and redirects it to PlushDaemon's infrastructure.Most websites aren't of interest to PlushDaemon, and nothing special will happen. It only looks for requests generated by certain popular Chinese software products: the Sogou Pinyin Method input editor, the Baidu Netdisk cloud service, multipurpose instant messenger Tencent QQ, and the free office suite WPS Office. If one of these apps happens to make a request for the website from which it pulls updates, EdgeStepper will replace the legitimate website's IP address with a PlushDaemon IP, where a malicious download is waiting.Following a couple of midstage downloaders, the victim will eventually download PlushDaemon's custom backdoor "SlowStepper." SlowStepper is a modular backdoor with a variety of components for stealing passwords, local files, browser cookies, a range of data associated with WeChat, and screenshots.Related:Pro-Russian Hackers Use Linux VMs to Hide in WindowsMysteries Surround PlushDaemonCertain questions still surround PlushDaemon. For instance, ESET could not say why a Chinese state-aligned APT has been spying on primarily Chinese organizations.The majority of PlushDaemon's victims have been in mainland China or Hong Kong, such as one Taiwanese electronics manufacturer located in the mainland, and a Beijing university. Other targets have come from Taiwan, Cambodia, New Zealand, and the US. Even in those cases, though, the group has targeted characteristically Chinese software programs, indicating that those victims might also be in some way Chinese.It's also a mystery why, besides one ESET report last year, PlushDaemon has flown so deeply under the radar for so many years. Though it has been active since at least 2018 — and its software update scheme since 2019 — it hardly garners the attention that other, lesser Chinese-state APTs have.What's easier to understand about PlushDaemon is how to stop it. ESET malware researcher Facundo Muñoz recommends focusing on the first stage of the attack chain — the most straightforward bit, before all the threat actor's best tricks kick in.Related:RondoDox Botnet: an 'Exploit Shotgun' for Edge Vulns"What we recommend defenders do," he says, "is be mindful of vulnerabilities in the devices that are in their networks, and to try to vet their credentials for vulnerabilities. That's it."Read more about:DR Global Asia PacificAbout the AuthorNate Nelson, Contributing WriterNate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."See more from Nate Nelson, Contributing WriterMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

Chinese Advanced Persistent Threats (APTs) are employing a novel technique to compromise software updates, primarily targeting organizations within China and Hong Kong. This approach, spearheaded by a group known as “PlushDaemon,” leverages vulnerabilities in edge devices, such as routers, to hijack network traffic and deliver malicious software. The group has been active since at least 2018, primarily targeting popular Chinese software applications, including Sogou Pinyin Method, Baidu Netdisk, Tencent QQ, and WPS Office.

PlushDaemon operates by infecting devices with “EdgeStepper,” a Go-compiled executable designed for MIPS32 processors, a technology still prevalent in IoT devices. Once deployed, EdgeStepper intercepts DNS queries directed to legitimate update servers for the targeted software. Instead of routing the request to the original server, it redirects the user to PlushDaemon’s infrastructure, where a malicious download of “SlowStepper,” a modular backdoor, awaits. SlowStepper then extracts sensitive data, including passwords, local files, browser cookies, and screenshots, alongside information related to WeChat.

The strategy’s success stems from its ability to remain largely undetected. ESET researchers attribute this partly to the group’s focus on targeting specific Chinese software, which has limited the global scope of the threat. However, the underlying technique—using compromised routers as entry points—is a well-established tactic employed by other APTs. The fact that PlushDaemon has remained largely under the radar for so long is perplexing, further highlighting the challenges in tracking and disrupting sophisticated cyber espionage operations.

Defensive measures, according to ESET malware researcher Facundo Muñoz, center on mitigating the initial stage of the attack: a thorough assessment of network devices and rigorous vetting of credentials to identify potentially exploitable vulnerabilities. Specifically, organizations should focus on patching known vulnerabilities in these devices and ensuring strong authentication mechanisms are in place to prevent unauthorized access. This early detection and remediation effort represents the most effective line of defense against a threat actor utilizing this targeted, software update hijacking method.