← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - PlushDaemon compromises network devices for adversary-in-the-middle attacks
WHITE celestre 2025-11-20 Modified: 2025-12-20
41
IOCs
MEDIUM VOLUME
ESET researchers provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant that we have named EdgeStepper, which redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure.
slowstepper cc serverfilename esetslowstepperdescriptionpythonserveripany softwareinstaller dlldll tool
MITRE ATT&CK & Malware Families
MALWARE FAMILIES
SlowStepper
Indicators of Compromise (5 / 41 total)
All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 0ec84f5912b540618695397211189ebb MD5 of ad4f0428fc9290791d550eeddf171aff046c4c2c 2025-11-20
FileHash-MD5 100bd14b76a5e570158811a6af448229 MD5 of 4b194770f6054c513b5a3821cb94feea58c09d3c 2025-11-20
FileHash-MD5 2ba80036b9554d9722e199e9d0065831 MD5 of 2db60f0adef14f4ab3573f8309e6fb135f67ed7d 2025-11-20
FileHash-MD5 3094bd501c2e4630d06f72453ec6d173 MD5 of b5a5da09114f1e8443daf13a799f2645c135b0bc 2025-11-20
FileHash-MD5 e2bc2361ead7c80eba86a5d1c492865d MD5 of 068fd2d209c0bbb0c6fc14e88d63f92441163233 2025-11-20
References (1)
↗ https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/