- The best Mini ITX PC cases of 2025: Expert recommended
- From Copilot to agent - AI is growing up, and CISOs need to be ready
- My favorite Apple Watch for tracking my workouts is 32% off at major retailers
- Discover the Cisco Catalyst Center Fundamentals (CCFND) Training Program
- This robot vacuum's dustbin doubles as a handheld vacuum (and it's on sale)
PlushDaemon APT Targeted South Korean VPN Software
A cyber espionage operation targeting South Korean VPN software was conducted in 2023 by a previously undocumented advanced persistent threat (APT) group, PlushDaemon.
According to new research by ESET, the attack involved the compromise of legitimate VPN installer files, embedding a malicious backdoor called SlowStepper alongside the original software.
ESET reported that the malware-infected installer for IPany, a VPN developed in South Korea, was available for download on the developer’s website. SlowStepper is a feature-rich backdoor with over 30 modules designed for extensive surveillance and data collection.
Victims included entities in South Korea’s semiconductor and software industries, as well as individuals in China and Japan. ESET researchers confirmed the operation’s alignment with PlushDaemon, a China-linked group that has been active since 2019.
Key characteristics of the attack include:
-
Supply Chain Compromise: Attackers replaced legitimate software updates with trojanized versions
-
Deployment: The malicious installer deployed files that ensured SlowStepper’s persistence on infected systems
-
Capabilities: SlowStepper modules, written in C++, Python and Go, allow data exfiltration, audio and video recording, and network reconnaissance
ESET’s telemetry revealed that the compromised software was downloaded manually, suggesting a broad targeting strategy rather than regional specificity. The malware also used advanced communication methods, such as DNS queries, to connect with command-and-control servers.
SlowStepper’s Advanced Features
SlowStepper operates as a versatile surveillance tool, capable of:
-
Harvesting system and user data, including installed applications, network configurations and peripheral connections
-
Exploiting Python modules to execute commands and collect sensitive files
-
Abusing legitimate tools to sideload malicious code, maintaining operational secrecy
This operation highlights a growing trend of sophisticated supply-chain attacks. PlushDaemon’s tactics, such as hijacking software updates and leveraging vulnerabilities in trusted systems, underscore the importance of robust supply chain security and proactive threat monitoring.
The IPany compromise was mitigated after ESET informed the developer, who promptly removed the malicious installer from their site. However, the incident serves as a reminder of the risks posed by targeted cyber espionage campaigns against critical industries.
“The numerous components in the PlushDaemon toolset, and its rich version history, show that, while previously unknown, this China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to watch for,” ESET concluded.
