← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - PlushDaemon compromises network devices for adversary-in-the-middle attacks
WHITE celestre 2025-11-20 Modified: 2025-12-20
41
IOCs
MEDIUM VOLUME
ESET researchers provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant that we have named EdgeStepper, which redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure.
slowstepper cc serverfilename esetslowstepperdescriptionpythonserveripany softwareinstaller dlldll tool
MITRE ATT&CK & Malware Families
MALWARE FAMILIES
SlowStepper
Indicators of Compromise (5 / 41 total)
All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
hostname 7051.gsm.360safe.company 2025-11-20
hostname agt.wcsset.com 2025-11-20
hostname reverse.wcsset.com 2025-11-20
hostname riskware.mimikatz.cv 2025-11-20
hostname st.360safe.company 2025-11-20
References (1)
↗ https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/