A malicious implant identified as EdgeStepper has been observed actively rerouting DNS queries on compromised systems to deploy malware. The implant’s primary function is to manipulate network traffic at a fundamental level to facilitate further infection.

By intercepting and altering DNS requests, EdgeStepper redirects targeted devices to attacker-controlled servers. This tactic is a form of DNS hijacking executed locally on the infected machine, making it a stealthy method for controlling a system’s network communications.

DNS Hijacking for Malicious Payload Delivery

The core mechanism of the EdgeStepper implant involves its ability to monitor outgoing DNS traffic. When a user or an automated process on the compromised system attempts to connect to a legitimate software update server, EdgeStepper intervenes. It forges a DNS response, pointing the system not to the genuine server, but to one operated by the attackers.

This rerouting is central to the implant’s operation. The victim’s system, trusting the falsified DNS information, then initiates a connection with the malicious server under the pretense of performing a routine action, such as downloading a software patch or update.

Weaponizing Legitimate Software Update Channels

Once the connection is established with the attacker-controlled infrastructure, the threat actors leverage the hijacked software update process. Instead of receiving a legitimate update file, the system is served a malicious payload. This method allows attackers to disguise their malware as a trusted and expected file transfer.

The delivery of malware through this hijacked channel completes the infection chain initiated by EdgeStepper. The technique exploits the inherent trust users and systems place in the software update mechanism, turning a standard security process into a vehicle for malware deployment.