PlushDaemon Leverages Router Update Supply Chain in 2024 Chinese APT Attack
Executive Summary
In 2024, a sophisticated Chinese state-sponsored group, tracked as PlushDaemon, exploited a unique supply chain tactic by compromising router firmware to hijack software update processes. These attackers covertly inserted malicious code into router updates, allowing them to intercept and manipulate network communications and deploy persistent malware within organizational networks—most notably targeting Chinese entities. Their approach leveraged trusted update channels, evading traditional detection methods and enabling infiltration with minimal immediate disruption, causing operational risk and potential data exposure on a wide scale.
This technique underscores a growing trend of software supply chain attacks, where trusted network or infrastructure elements become the entry point for espionage or cyber sabotage. Organizations face mounting pressure to secure update mechanisms as attackers increasingly target foundational controls rather than endpoint devices.
Why This Matters Now
The exploitation of router firmware updates by PlushDaemon signals an urgent shift toward supply chain attacks on core infrastructure devices, bypassing traditional endpoint security. Amidst increasing regulatory scrutiny and sophistication of state-backed attackers, this incident highlights the immediate necessity for organizations to verify update authenticity and strengthen security across their entire hardware and software supply chain.
Attack Path Analysis
The attackers initiated their campaign by compromising vulnerable routers and intercepting legitimate software update channels to inject PlushDaemon malware. Following the compromise, they achieved elevated privileges to control infected network infrastructure. With this foothold, the adversaries moved laterally across internal networks, expanding access to additional systems. They established command and control by using covert, possibly encrypted channels for remote management. Data was exfiltrated through egress points using hidden or masqueraded traffic. Ultimately, the attackers could manipulate software supply chains or disrupt operations, impacting business continuity.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited router vulnerabilities and hijacked software updates to deliver PlushDaemon malware to targeted network devices.
Related CVEs
CVE-2025-2492
CVSS 9.2A critical remote code execution vulnerability in ASUS routers with AiCloud enabled, allowing remote attackers to execute unauthorized functions.
Affected Products:
ASUS Routers with AiCloud – 3.0.0.4_382, 3.0.0.4_386, 3.0.0.4_388, 3.0.0.6_102
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Compromise Software Supply Chain
Hardware Additions
Adversary-in-the-Middle: ARP Cache Poisoning
Application Layer Protocol: Web Protocols
Modify Authentication Process
Impair Defenses: Disable or Modify Tools
Network Service Discovery
Resource Hijacking
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change and Update Management
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Third-Party Risk Management
Control ID: Article 27
CISA Zero Trust Maturity Model 2.0 – Supply Chain Asset Security
Control ID: Asset Management - Supply Chain Risk
NIS2 Directive – Security of Supply Chain and ICT Products
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply chain attacks targeting software updates compromise code integrity, requiring encrypted traffic protection and zero trust segmentation for development pipelines.
Computer/Network Security
Router hijacking for update manipulation demands enhanced egress security, threat detection capabilities, and inline IPS protection against state-sponsored APT campaigns.
Telecommunications
Network infrastructure vulnerabilities to PlushDaemon require multicloud visibility, east-west traffic security, and secure hybrid connectivity for critical communications systems.
Government Administration
State-sponsored APT targeting update mechanisms necessitates comprehensive compliance adherence including NIST frameworks and anomaly detection for sensitive government operations.
Sources
- China's 'PlushDaemon' Hackers Infect Routers to Hijack Software Updateshttps://www.darkreading.com/endpoint-security/chinese-apt-routers-hijack-software-updatesVerified
- ESET Research: Chinese PlushDaemon group compromises network devices for adversary-in-the-middle attackshttps://www.globenewswire.com/news-release/2025/11/19/3190716/0/en/ESET-Research-Chinese-PlushDaemon-group-compromises-network-devices-for-adversary-in-the-middle-attacks.htmlVerified
- China's PlushDaemon group uses EdgeStepper implant to infect network devices with SlowStepper malware in global supply-chain attackshttps://www.techradar.com/pro/security/chinas-plushdaemon-group-uses-edgestepper-implant-to-infect-network-devices-with-slowstepper-malware-in-global-supply-chain-attacksVerified
- Chinese PlushDaemon Hackers use EdgeStepper Tool to Hijack Legitimate Updates and Redirect to Malicious Servershttps://cybersecuritynews.com/chinese-plushdaemon-hackers-use-edgestepper-tool/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing CNSF-aligned Zero Trust segmentation, enforced egress controls, real-time threat detection, and network encryption would have constrained adversary movement, prevented unauthorized software injection, and blocked data leakage. Network segmentation and continuous anomaly detection would have hampered malicious lateral movement and established command channels within the environment.
Control: Cloud Firewall (ACF)
Mitigation: Blocked malicious update connections and unauthorized inbound access.
Control: Threat Detection & Anomaly Response
Mitigation: Detected unauthorized privilege escalation activities.
Control: Zero Trust Segmentation
Mitigation: Contained lateral movement by enforcing least-privilege, identity-based traffic restrictions.
Control: Inline IPS (Suricata)
Mitigation: Detected and blocked known C2 traffic signatures and anomalous encrypted sessions.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked unauthorized data exfiltration through outbound filtering.
Minimized reach and potential for operational disruption via autonomous, distributed security fabric.
Impact at a Glance
Affected Business Functions
- Software Update Mechanisms
- Network Security
- Data Integrity
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive user data due to compromised software updates and network devices.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation and least-privilege policies to isolate sensitive workloads and infrastructure.
- • Implement centralized egress filtering to restrict and monitor outbound connections, minimizing exfiltration risk.
- • Deploy inline IPS/IDS solutions for both perimeter and east-west traffic to detect and block C2 activity and lateral movement.
- • Enable comprehensive anomaly detection and continuous monitoring to quickly identify privilege abuse and suspicious software update events.
- • Utilize encrypted network traffic (MACsec/IPsec) for all internal and hybrid links to protect data in transit against interception and tampering.
