EdgeStepper Implant Reroutes DNS Queries to Deploy Malware via Hijacked Software Updates
EdgeStepper Implant Reroutes DNS Queries to Deploy Malware via Hijacked Software Updates
19 November 2025
The threat actor known as PlushDaemon has been observed using a previously undocumented Go-based network backdoor codenamed EdgeStepper to facilitate adversary-in-the-middle (AitM) attacks.
EdgeStepper "redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure