- What Intel needs to do to get its mojo back
- Optimizing AI Workloads with NVIDA GPUs, Time Slicing, and Karpenter (Part 2)
- Stratoshark brings Wireshark-style analysis to cloud system calls
- Everything announced at Samsung Unpacked 2025: Galaxy S25 Edge, Ultra, Gemini AI, more
- Changing these 5 TV settings lowered my electric bill. Here's why they work
PlushDaemon APT Targeted South Korean VPN Software
A cyber espionage operation targeting South Korean VPN software was conducted in 2023 by a previously undocumented advanced persistent threat (APT) group, PlushDaemon.
According to new research by ESET, the attack involved the compromise of legitimate VPN installer files, embedding a malicious backdoor called SlowStepper alongside the original software.
ESET reported that the malware-infected installer for IPany, a VPN developed in South Korea, was available for download on the developer’s website. SlowStepper is a feature-rich backdoor with over 30 modules designed for extensive surveillance and data collection.
Victims included entities in South Korea’s semiconductor and software industries, as well as individuals in China and Japan. ESET researchers confirmed the operation’s alignment with PlushDaemon, a China-linked group that has been active since 2019.
Key characteristics of the attack include:
-
Supply Chain Compromise: Attackers replaced legitimate software updates with trojanized versions
-
Deployment: The malicious installer deployed files that ensured SlowStepper’s persistence on infected systems
-
Capabilities: SlowStepper modules, written in C++, Python and Go, allow data exfiltration, audio and video recording, and network reconnaissance
ESET’s telemetry revealed that the compromised software was downloaded manually, suggesting a broad targeting strategy rather than regional specificity. The malware also used advanced communication methods, such as DNS queries, to connect with command-and-control servers.
SlowStepper’s Advanced Features
SlowStepper operates as a versatile surveillance tool, capable of:
-
Harvesting system and user data, including installed applications, network configurations and peripheral connections
-
Exploiting Python modules to execute commands and collect sensitive files
-
Abusing legitimate tools to sideload malicious code, maintaining operational secrecy
This operation highlights a growing trend of sophisticated supply-chain attacks. PlushDaemon’s tactics, such as hijacking software updates and leveraging vulnerabilities in trusted systems, underscore the importance of robust supply chain security and proactive threat monitoring.
The IPany compromise was mitigated after ESET informed the developer, who promptly removed the malicious installer from their site. However, the incident serves as a reminder of the risks posed by targeted cyber espionage campaigns against critical industries.
“The numerous components in the PlushDaemon toolset, and its rich version history, show that, while previously unknown, this China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to watch for,” ESET concluded.
