EdgeStepper: PlushDaemon’s DNS Hijack Shakes Supply Chain Trust
Executive Summary
In late 2025, the threat actor PlushDaemon leveraged a custom Go-based implant named EdgeStepper to facilitate a sophisticated supply chain attack targeting organizations relying on automated software updates. By hijacking DNS queries via EdgeStepper, attackers rerouted legitimate update traffic to attacker-controlled infrastructure, covertly delivering malware payloads. This adversary-in-the-middle campaign exploited a weakness in outbound traffic validation and DNS trust, leading to silent compromise of enterprise endpoints through poisoned software update mechanisms. The incident resulted in widespread concerns over supply chain integrity and exposed gaps in security monitoring of encrypted or internal network flows.
This incident highlights the growing trend of adversaries exploiting DNS and software supply chains as primary attack vectors. With regulatory and industry focus tightening on secure update mechanisms and zero trust, similar AitM tactics are escalating in both frequency and sophistication, requiring renewed urgency for organizations to enhance detection at the DNS and network boundary layers.
Why This Matters Now
Attackers are increasingly exploiting trusted DNS resolution and software update channels, making traditional perimeter defenses ineffective. The rapid adoption of automated updates and distributed cloud environments exposes organizations to stealthy supply chain attacks, necessitating advanced threat visibility and egress control before such campaigns cause catastrophic operational or reputational harm.
Attack Path Analysis
The attack began with PlushDaemon leveraging a supply chain compromise, introducing the EdgeStepper implant via hijacked software updates after rerouting DNS queries. The attackers likely escalated privileges within compromised environments by abusing update mechanisms. EdgeStepper provided a foothold, enabling lateral movement across internal infrastructure by manipulating DNS and possibly leveraging east-west connections. The implant established command and control channels through malicious DNS redirection, enabling persistent communication with attacker infrastructure. Exfiltration likely occurred through covert outbound DNS or malicious traffic, ferrying sensitive data to external nodes. The final impact stage involved delivery and potentially execution of malware payloads and further disruption to enterprise operations.
Kill Chain Progression
Initial Compromise
Description
Attackers compromised the software supply chain by rerouting DNS queries to malicious nodes, causing legitimate update mechanisms to deliver the EdgeStepper implant.
Related CVEs
CVE-2025-11001
CVSS 7A vulnerability in 7-Zip allows remote code execution through symbolic links in ZIP files.
Affected Products:
7-Zip 7-Zip – < 25.00
Exploit Status:
exploited in the wildCVE-2025-11002
CVSS 7A vulnerability in 7-Zip involves improper handling of symbolic links, leading to directory traversal.
Affected Products:
7-Zip 7-Zip – < 25.00
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Adversary-in-the-Middle
Data Manipulation: Transmitted Data Manipulation
Network Service Scanning
Application Layer Protocol: DNS
Supply Chain Compromise: Compromise Software Supply Chain
Phishing
Remote Access Software
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change and Tamper Detection Mechanisms
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 7
CISA ZTMM 2.0 – DNS Security and Traffic Monitoring
Control ID: Network and Environment Segmentation
NIS2 Directive – Supply Chain Security
Control ID: Article 21(2)d
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
EdgeStepper's DNS hijacking targeting software updates creates critical supply chain vulnerabilities for software companies distributing applications and security patches to customers.
Information Technology/IT
IT service providers face severe risks from adversary-in-the-middle attacks compromising software update infrastructure, potentially affecting multiple client environments simultaneously.
Financial Services
DNS redirection attacks threaten financial institutions' software update processes, risking compliance violations and compromising critical trading systems and customer data protection.
Health Care / Life Sciences
Healthcare organizations using automated software updates face patient safety risks and HIPAA compliance issues from malware injection through compromised update channels.
Sources
- EdgeStepper Implant Reroutes DNS Queries to Deploy Malware via Hijacked Software Updateshttps://thehackernews.com/2025/11/edgestepper-implant-reroutes-dns.htmlVerified
- ESET Research: Chinese PlushDaemon group compromises network devices for adversary-in-the-middle attackshttps://www.eset.com/us/about/newsroom/research/eset-research-chinese-plushdaemon-group-compromises-network-devices-for-adversary-in-the-middle-attacks/Verified
- China-Linked PlushDaemon hackers hijack software updates using new EdgeStepper implanthttps://www.cybersecurity-help.cz/blog/5081.htmlVerified
- China's PlushDaemon group uses EdgeStepper implant to infect network devices with SlowStepper malware in global supply-chain attackshttps://www.techradar.com/pro/security/chinas-plushdaemon-group-uses-edgestepper-implant-to-infect-network-devices-with-slowstepper-malware-in-global-supply-chain-attacksVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, egress policy enforcement, and east-west traffic security would have disrupted the adversary's ability to deliver, propagate, and control EdgeStepper, while threat detection and granular network visibility could have enabled rapid detection and response. Distributed, inline CNSF controls would have limited the attacker’s lateral movement and prevented malicious DNS-driven command and control and exfiltration.
Control: Egress Security & Policy Enforcement
Mitigation: Denied outbound DNS traffic to unauthorized domains, preventing connection to attacker infrastructure.
Control: Zero Trust Segmentation
Mitigation: Restricted unnecessary privilege escalation across workloads and update infrastructure.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized lateral traffic between workloads and critical update infrastructure.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Identified and prevented malicious DNS-based C2 through real-time traffic inspection and distributed enforcement.
Control: Cloud Firewall (ACF) + Egress Security & Policy Enforcement
Mitigation: Stopped unauthorized data exfiltration attempts at network boundary.
Rapidly detected anomalous workload behaviors and malware execution.
Impact at a Glance
Affected Business Functions
- Software Update Mechanisms
- Network Security
- Data Integrity
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive user data due to compromised software updates and network traffic interception.
Recommended Actions
Key Takeaways & Next Steps
- • Implement egress policy enforcement with FQDN filtering to restrict DNS and outbound traffic to approved update domains only.
- • Adopt granular Zero Trust segmentation for all service update channels, leveraging identity-based policies to minimize lateral privilege escalation.
- • Deploy east-west traffic monitoring and workload microsegmentation to detect and block unauthorized internal movements.
- • Enable distributed, inline threat detection and anomaly response to surface uncommon update or execution behaviors in real time.
- • Regularly audit and baseline authorized cloud workloads and update processes to rapidly identify deviations attributable to supply chain threats.
