TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

ESET WeLiveSecurity

PlushDaemon compromises network devices for adversary-in-the-middle attacks

2025-11-19 · Read original ↗

ATT&CK techniques detected

4 predictions
T1195.002Compromise Software Supply Chain
84%
“to hijack legitimate updates by redirecting traffic to attacker - controlled servers through a network implant that we call edgestepper. additionally, we have observed the group gaining access via vulnerabilities in web servers, and in 2023 it performed a supply - chain attack. o…”
T1105Ingress Tool Transfer
57%
“##mon is the first stage deployed on the victim ’ s machine through hijacked updates. we have observed both dll and executable versions, both of them 32 - bit pes. the main purpose of littledaemon is to communicate with the hijacking node to obtain the downloader that we call dae…”
T1572Protocol Tunneling
56%
“then it forwards the packet to the malicious dns node. - finally, it forwards the reply from the dns node to the device. ruler the ruler system uses the iptables command to issue new rules, and to remove them when concluding the attack. first, it issues a rule to redirect all udp…”
T1195.002Compromise Software Supply Chain
40%
“##mon is the first stage deployed on the victim ’ s machine through hijacked updates. we have observed both dll and executable versions, both of them 32 - bit pes. the main purpose of littledaemon is to communicate with the hijacking node to obtain the downloader that we call dae…”

Summary

ESET researchers have discovered a network implant used by the China-aligned PlushDaemon APT group to perform adversary-in-the-middle attacks