PlushDaemon's EdgeStepper: Sophisticated DNS Hijacking Attacks

ESET researchers uncovered a sophisticated attack chain by PlushDaemon using EdgeStepper, a DNS proxy tool. This tool intercepts legitimate software updates and replaces them with trojanized versions containing the SlowStepper backdoor. The attack has compromised targets across multiple continents since 2018. EdgeStepper operates by redirecting DNS traffic to malicious servers, enabling the attackers to deploy malicious payloads. The attack sequence involves multiple stages, including the use of downloader components like LittleDaemon and DaemonicLogistics. Organizations should prioritize DNS query monitoring and network device hardening to mitigate this threat.