All news with #slowstepper tag

EdgeStepper Enables PlushDaemon Update Hijacking Attacks

🛡️ ESET researchers describe how the China-aligned actor PlushDaemon uses a previously undocumented network implant called EdgeStepper to perform adversary-in-the-middle hijacks of software update flows. EdgeStepper, a Go-based MIPS32 implant, redirects DNS traffic to malicious resolvers that reply with IPs of attacker-controlled hijacking nodes, causing legitimate updaters to fetch counterfeit components such as LittleDaemon. The analysis details the implant's AES-CBC encrypted configuration (notably using the GoFrame default key), iptables redirection of UDP/53 to a local port, and the downloader chain (LittleDaemon and DaemonicLogistics) that stages and deploys the SlowStepper backdoor on Windows hosts.