China-aligned threat actor PlushDaemon has been conducting espionage operations since 2018, targeting entities in China, Taiwan, Hong Kong, Cambodia, South Korea, the United States, and New Zealand. The group employs a custom backdoor called SlowStepper and uses a network implant named EdgeStepper to hijack legitimate updates. EdgeStepper redirects DNS queries to a malicious node, rerouting traffic from legitimate infrastructure to attacker-controlled servers. The group has also exploited web server vulnerabilities and performed a supply-chain attack. PlushDaemon's adversary-in-the-middle technique involves compromising network devices, deploying EdgeStepper, and using it to redirect DNS queries for software updates to malicious nodes. This allows them to serve malicious updates containing the LittleDaemon downloader, which then deploys the SlowStepper implant.