ZadeNor AI
Back to Blog
Cybersecurity

EdgeStepper Implant Reroutes DNS Queries to Deploy Malware via Hijacked Software Updates

November 26, 2025
5 min
2,253 views
By ZadeNor AI Team
EdgeStepper Implant Reroutes DNS Queries to Deploy Malware via Hijacked Software Updates

EdgeStepper Implant Reroutes DNS Queries to Deploy Malware via Hijacked Software Updates

Sophisticated Malware Implant Discovered in Software Updates

A recent discovery has shed light on a sophisticated malware implant, dubbed EdgeStepper, which has been found to hijack software updates to deploy malicious code. This cunning tactic involves rerouting DNS queries to inject malware into unsuspecting users' systems.

How EdgeStepper Works

EdgeStepper operates by intercepting DNS queries, which are used to translate human-readable domain names into IP addresses. By manipulating these queries, the malware can redirect users to fake software update websites, where they are tricked into downloading and installing malicious software.

// Example DNS query manipulation
const dnsQuery = "example.com";
const manipulatedQuery = "example.com.edgestepper.com";

DNS Hijacking

The malware achieves this by hijacking the DNS resolution process, which typically involves a user's device sending a DNS query to a recursive DNS server. The recursive DNS server then forwards the query to a root DNS server, which resolves the domain name to an IP address. EdgeStepper interferes with this process by modifying the DNS query to point to a fake software update website.

# Example DNS hijacking
import dns.resolver

dnsResolver = dns.resolver.Resolver()
dnsResolver.nameservers = ["8.8.8.8"]  # Google's public DNS server

try:
    dnsResolver.resolve("example.com")
except dns.resolver.NoAnswer:
    print("DNS query failed")

Software Update Hijacking

Once the user downloads and installs the malicious software, EdgeStepper can deploy additional malware payloads, potentially leading to further system compromise.

Detection and Prevention

To detect and prevent EdgeStepper, users should be cautious when downloading and installing software updates, and ensure that their systems are running up-to-date antivirus software. Additionally, users should be aware of the DNS queries being sent from their devices and monitor their system's network activity for suspicious behavior.

Conclusion

The discovery of EdgeStepper highlights the need for users to remain vigilant when interacting with software updates and to be aware of the potential risks associated with DNS hijacking. By taking proactive steps to secure their systems and monitor their network activity, users can reduce the risk of falling victim to this sophisticated malware implant.

Source: https://thehackernews.com/2025/11/edgestepper-implant-reroutes-dns.html

Source: https://thehackernews.com/2025/11/edgestepper-implant-reroutes-dns.html

About the Author

ZadeNor AI Team is a leading expert in CYBERSECURITY, contributing to cutting-edge research and development in the field.

Share this article

TwitterLinkedInFacebookWhatsAppRedditEmail

Related Posts

Alleged Kimwolf Botmaster 'Dort' Arrested, Charged in U.S. and Canada

Alleged Kimwolf Botmaster 'Dort' Arrested, Charged in U.S. and Canada

Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, doxing and swatting campaigns against this author and a security researcher. He now faces criminal hacking charges in both Canada and the United States.

419
5 min
CISA Admin Leaked AWS GovCloud Keys on Github

CISA Admin Leaked AWS GovCloud Keys on Github

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

411
5 min
'Scattered Spider' Member 'Tylerb' Pleads Guilty

'Scattered Spider' Member 'Tylerb' Pleads Guilty

A 24-year-old British national and senior member of the cybercrime group "Scattered Spider" has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors.

589
5 min