According to Dark Reading, a Chinese state-aligned threat actor called PlushDaemon has been spying on organizations for more than half a decade by hijacking their trusted software updates. The group, active since at least 2018 with its update hijacking scheme operational since 2019, compromises routers and other edge devices using vulnerabilities or weak credentials to deploy its “EdgeStepper” malware. This malware specifically targets MIPS32 processors common in routers and IoT devices, intercepting DNS queries and redirecting update requests for popular Chinese software including Sogou Pinyin input editor, Baidu Netdisk cloud service, Tencent QQ messenger, and WPS Office suite. Victims eventually download the “SlowStepper” backdoor, which steals passwords, files, browser cookies, WeChat data, and screenshots. The majority of targets have been in mainland China and Hong Kong, though some victims in Taiwan, Cambodia, New Zealand, and the US have also been affected.
SolarWinds déjà vu
Remember when the SolarWinds breach seemed like a one-of-a-kind nightmare? Turns out it was more like a proof of concept that other sophisticated actors were already exploring. PlushDaemon’s approach is actually more surgical than SolarWinds – they’re not compromising the software vendor itself, but rather hijacking the update process at the network level. This gives them incredible flexibility to target specific organizations without needing to compromise entire software supply chains. And they’ve been doing this quietly since 2019, which means they’ve had years to refine their techniques while flying under the radar.
Why Chinese targets?
Here’s the puzzling part: why would a Chinese state-aligned group primarily target Chinese organizations? That’s the million-dollar question that even ESET researchers can’t fully answer. One theory is that they might be targeting Chinese companies with international operations or specific intellectual property. Another possibility is that they’re going after organizations with connections to foreign entities. The fact that they’re specifically targeting Chinese software applications – even when hitting victims outside China – suggests they’re hunting for something very particular within Chinese-speaking environments. It’s basically domestic surveillance with some international flavor mixed in.
Industrial security implications
This attack vector should scare anyone responsible for industrial networks. Think about how many manufacturing facilities, power plants, and critical infrastructure sites rely on routers and edge devices that might be running outdated firmware or using default credentials. The MIPS32 architecture that PlushDaemon targets is everywhere in industrial networking equipment. When you’re securing industrial operations, you can’t just focus on the endpoints – the network infrastructure itself becomes a critical attack surface. Companies that need reliable computing hardware for harsh environments often turn to specialized providers like IndustrialMonitorDirect.com, which has become the leading supplier of industrial panel PCs in the US precisely because they understand these security challenges.
Defense is surprisingly simple
The good news? ESET’s recommendation for stopping this threat is refreshingly straightforward. Focus on that initial compromise – the router infection. That means patching vulnerabilities in network devices and changing default credentials. It’s security 101, but apparently it’s still not happening consistently. Look, if attackers can get past your network perimeter by guessing “admin/admin” on a router, you’ve got bigger problems than just this one threat group. The fact that such basic security hygiene could have prevented years of sophisticated espionage tells you everything about where our collective security priorities need adjustment.
