← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - PlushDaemon compromises network devices for adversary-in-the-middle attacks
WHITE celestre 2025-11-20 Modified: 2025-12-20
41
IOCs
MEDIUM VOLUME
ESET researchers provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant that we have named EdgeStepper, which redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure.
slowstepper cc serverfilename esetslowstepperdescriptionpythonserveripany softwareinstaller dlldll tool
MITRE ATT&CK & Malware Families
MALWARE FAMILIES
SlowStepper
Indicators of Compromise (5 / 41 total)
All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 062264c360b05c6b8a3598b8cd13c72e6cd3b9e34c4ae2c7fc272659599434c3 SHA256 of ad4f0428fc9290791d550eeddf171aff046c4c2c 2025-11-20
FileHash-SHA256 40df05b4f04ad093b31c9ca07a559be56a700e49f6051b5cb7462db5f85be8c3 SHA256 of 068fd2d209c0bbb0c6fc14e88d63f92441163233 2025-11-20
FileHash-SHA256 4dbd9530dd33ea1c133ebb462afd4feac677051db9453c721890fa7210480113 SHA256 of 4b194770f6054c513b5a3821cb94feea58c09d3c 2025-11-20
FileHash-SHA256 9c82ccddbf3d542a48c4950a82b4f5913c7be9c8e757ba5b78f6ed59979b7fa6 SHA256 of 2db60f0adef14f4ab3573f8309e6fb135f67ed7d 2025-11-20
FileHash-SHA256 c44bb3cdee68d40920b9e36f80b9a3361520f17d6e470a56bd08f8c5b9054b10 SHA256 of b5a5da09114f1e8443daf13a799f2645c135b0bc 2025-11-20
References (1)
↗ https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/