Hijacked update to backdoor deployment
With the network device serving as a stealthy redirect, PlushDaemon then exploits the hijacked update channel to gain access to end-systems. ESET observed how typical victim software (such as a Chinese input-method application) issues an HTTP GET to its update server, but because DNS was hijacked, the request lands at attacker-controlled infrastructure.
The payload chain typically begins with LittleDaemon, a downloader posing as a DLL, which checks for the presence of the final payload. If absent, it fetches another component, DaemonicLogistics. That tool then interprets HTTP status codes from the hijacked server as commands to download and install the signature backdoor SlowStepper on the target machines.
SlowStepper is a feature-rich espionage backdoor with modules for browser data collection, audio/video capture, document theft, and credential harvesting. PlushDaemon’s move to weaponize network plumbing reflects adversaries shifting away from blunt endpoint strikes toward quieter, trust-abuse techniques. Earlier this year, a China-linked campaign was found implanting backdoors on Juniper routers, showing attackers’ willingness to live on the network kit itself rather than only on PCs.
