- With AI models clobbering every benchmark, it's time for human evaluation
- My $8 secret to keeping my DIY electronic repairs sealed and secured
- This 85-inch TV deal at $1,100 off made me reconsider paying up for OLED
- The LG G4 OLED is still one of the most impressive TVs I've seen - and it's $550 off
- I cracked open a cheap 600W charger to test its build, and the 'goo' inside was not right
PlushDaemon APT Targeted South Korean VPN Software
A cyber espionage operation targeting South Korean VPN software was conducted in 2023 by a previously undocumented advanced persistent threat (APT) group, PlushDaemon.
According to new research by ESET, the attack involved the compromise of legitimate VPN installer files, embedding a malicious backdoor called SlowStepper alongside the original software.
ESET reported that the malware-infected installer for IPany, a VPN developed in South Korea, was available for download on the developer’s website. SlowStepper is a feature-rich backdoor with over 30 modules designed for extensive surveillance and data collection.
Victims included entities in South Korea’s semiconductor and software industries, as well as individuals in China and Japan. ESET researchers confirmed the operation’s alignment with PlushDaemon, a China-linked group that has been active since 2019.
Key characteristics of the attack include:
-
Supply Chain Compromise: Attackers replaced legitimate software updates with trojanized versions
-
Deployment: The malicious installer deployed files that ensured SlowStepper’s persistence on infected systems
-
Capabilities: SlowStepper modules, written in C++, Python and Go, allow data exfiltration, audio and video recording, and network reconnaissance
ESET’s telemetry revealed that the compromised software was downloaded manually, suggesting a broad targeting strategy rather than regional specificity. The malware also used advanced communication methods, such as DNS queries, to connect with command-and-control servers.
SlowStepper’s Advanced Features
SlowStepper operates as a versatile surveillance tool, capable of:
-
Harvesting system and user data, including installed applications, network configurations and peripheral connections
-
Exploiting Python modules to execute commands and collect sensitive files
-
Abusing legitimate tools to sideload malicious code, maintaining operational secrecy
This operation highlights a growing trend of sophisticated supply-chain attacks. PlushDaemon’s tactics, such as hijacking software updates and leveraging vulnerabilities in trusted systems, underscore the importance of robust supply chain security and proactive threat monitoring.
The IPany compromise was mitigated after ESET informed the developer, who promptly removed the malicious installer from their site. However, the incident serves as a reminder of the risks posed by targeted cyber espionage campaigns against critical industries.
“The numerous components in the PlushDaemon toolset, and its rich version history, show that, while previously unknown, this China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to watch for,” ESET concluded.
