PlushDaemon compromises network devices for adversary-in-the-middle attacks

ESET details PlushDaemon, a China-aligned APT that compromises network devices to deploy a Go-based MIPS implant (EdgeStepper) which redirects DNS queries to attacker-controlled nodes to hijack legitimate software updates; those updates deliver LittleDaemon and DaemonicLogistics which install the SlowStepper backdoor on Windows systems. The report includes technical analysis of the implants and downloaders, IoCs (file hashes, domains, IPs), victim distribution, and MITRE ATT&CK mappings.