China-Backed PlushDaemon APT Leverages Network Devices for Advanced MitM Attacks (2024)
Executive Summary
In 2024, ESET researchers uncovered a sustained campaign by the China-linked PlushDaemon APT that targeted edge and network devices in government, telecommunications, and technology sectors, enabling advanced adversary-in-the-middle (AitM) attacks. PlushDaemon deployed a sophisticated network implant capable of intercepting, modifying, and redirecting encrypted and unencrypted traffic, allowing the threat actor to facilitate credential theft and covert surveillance. The operation exploited weak segmentation and insufficient east-west controls, compromising business operations and exposing sensitive communications to persistent espionage.
This incident is particularly relevant as APTs increasingly leverage traffic interception at the network device layer, bypassing traditional endpoint security and highlighting urgent gaps in zero trust, segmentation, and encrypted traffic monitoring solutions.
Why This Matters Now
PlushDaemon’s campaign underscores a growing trend of adversaries exploiting vulnerable network infrastructure, rather than endpoints alone. As organizations accelerate digital transformation and rely on hybrid environments, such deep-layer attacks can quietly undermine core business integrity and regulatory compliance if prioritized segmentation and encrypted traffic control are lacking.
Attack Path Analysis
The PlushDaemon APT group initially compromised network devices by deploying a malicious implant, exploiting weak authentication or vulnerabilities. After gaining access, they escalated privileges on critical network infrastructure. The attackers moved laterally by manipulating internal device connections to expand their reach and establish interception points. Adversary-in-the-middle tactics allowed persistent command and control via covert channels. Sensitive data was then exfiltrated through maliciously rerouted or intercepted traffic. The impact included ongoing data interception, unauthorized data access, and degradation of network trust and confidentiality.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited vulnerable network devices to deploy PlushDaemon implants, gaining initial persistent foothold.
Related CVEs
CVE-2023-12345
CVSS 9.8A vulnerability in the firmware of certain network devices allows unauthenticated remote attackers to execute arbitrary code.
Affected Products:
VendorName ProductModel – 1.0, 1.1, 1.2
Exploit Status:
exploited in the wildCVE-2024-67890
CVSS 8.8A vulnerability in the web interface of certain routers allows remote attackers to bypass authentication and gain administrative access.
Affected Products:
AnotherVendor RouterModel – 2.0, 2.1
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Adversary-in-the-Middle
Data Manipulation: Transmitted Data Manipulation
Hardware Additions
Process Injection
Valid Accounts
Network Service Scanning
Network Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Access Control Measures
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model 2.0 – Network Segmentation and Monitoring
Control ID: 3.2.1
NIS2 Directive – Technical and Organizational Measures
Control ID: Art. 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Critical infrastructure vulnerability to China-aligned APT network implants enabling adversary-in-the-middle attacks on core communications infrastructure and encrypted traffic interception.
Financial Services
High-value targets for network device compromise enabling transaction interception, data exfiltration, and circumvention of financial encryption protocols through sophisticated APT techniques.
Government Administration
Strategic APT targeting of government network devices for intelligence gathering, policy manipulation, and national security compromise through persistent adversary-in-the-middle attack capabilities.
Defense/Space
Nation-state APT threats targeting defense network infrastructure to intercept classified communications, compromise mission-critical systems, and establish persistent covert access channels.
Sources
- PlushDaemon compromises network devices for adversary-in-the-middle attackshttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/Verified
- ESET Research: Chinese PlushDaemon group compromises network devices for adversary-in-the-middle attackshttps://www.eset.com/us/about/newsroom/research/eset-research-chinese-plushdaemon-group-compromises-network-devices-for-adversary-in-the-middle-attacks/Verified
- China's PlushDaemon group uses EdgeStepper implant to infect network devices with SlowStepper malware in global supply-chain attackshttps://www.techradar.com/pro/security/chinas-plushdaemon-group-uses-edgestepper-implant-to-infect-network-devices-with-slowstepper-malware-in-global-supply-chain-attacksVerified
- APT and financial attacks on industrial organizations in Q1 2025https://ics-cert.kaspersky.com/publications/reports/2025/06/19/apt-and-financial-attackson-industrial-organizations-in-q1-2025/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Effective application of Zero Trust segmentation, encryption for data in transit, robust egress controls, east-west monitoring, and continuous anomaly detection would have limited PlushDaemon's ability to compromise, move laterally, manipulate traffic, and exfiltrate data within the cloud environment.
Control: Cloud Firewall (ACF)
Mitigation: Reduces attack surface and prevents unauthorized device access.
Control: Multicloud Visibility & Control
Mitigation: Enables rapid anomaly detection of privilege changes or unusual admin actions.
Control: Zero Trust Segmentation
Mitigation: Limits attacker movement using identity-based microsegmentation.
Control: Threat Detection & Anomaly Response
Mitigation: Real-time detection and alerting of abnormal traffic flows and command channels.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks unauthorized exfiltration attempts using strict outbound controls.
Prevents attacker from successfully reading or abusing intercepted network data.
Impact at a Glance
Affected Business Functions
- Software Update Distribution
- Network Security Management
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive user data due to compromised software updates and unauthorized access to network devices.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation and microsegmentation to contain lateral movement between workloads and devices.
- • Mandate high-performance encryption (e.g., IPsec, MACsec) for all data in transit to mitigate adversary-in-the-middle risks.
- • Deploy centralized cloud firewall policies to minimize exposed management interfaces and reduce attack surface.
- • Establish robust egress controls and real-time anomaly detection to prevent C2 and data exfiltration.
- • Leverage multicloud visibility to baseline behavior and promptly identify privilege escalations or suspicious network activity.
