A sophisticated supply-chain attack targeting a South Korean VPN provider. The attack has been attributed to a previously undisclosed China-aligned Advanced Persistent Threat (APT) group, now named PlushDaemon.
The operation, discovered in May 2024, involved the compromise of IPany, a legitimate VPN software developed by a South Korean company.
PlushDaemon replaced the official installer with a malicious version that deployed both the legitimate software and a custom backdoor called SlowStepper.
SlowStepper is a feature-rich implant with an extensive toolkit comprising over 30 components. This backdoor, programmed in C++, Python, and Go, showcases the group’s advanced capabilities and resources.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
Malicious PlushDaemon Installer
ESET researchers believe PlushDaemon has been active since at least 2019, conducting espionage operations against targets in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand.
The group’s primary method of initial access involves hijacking legitimate updates of Chinese applications and redirecting traffic to attacker-controlled servers.
The compromised VPN installer was available for download from IPany’s official website as a ZIP archive. ESET found no evidence of targeted distribution, suggesting that any IPany VPN user could have been a potential victim.
Upon discovery, ESET promptly notified the VPN software developer, who subsequently removed the malicious installer from their website.
ESET telemetry revealed that several users attempted to install the trojanized software within the networks of a semiconductor company and an unidentified software development firm in South Korea.
The oldest recorded cases in ESET’s telemetry date back to November 2023 for a victim in Japan and December 2023 for a victim in China.
This supply-chain attack marks a significant escalation in PlushDaemon’s tactics, demonstrating their ability to compromise not just Chinese applications but also South Korean software providers.
The group’s focus on VPN services is particularly concerning, as these tools are often used to secure sensitive communications and data transfers.
The discovery of PlushDaemon and its activities highlights the ongoing threat posed by state-sponsored cyber espionage campaigns. It underscores the importance of robust security measures throughout the software supply chain, as well as the need for constant vigilance against evolving cyber threats.
As tensions in the cybersecurity landscape continue to rise, this incident serves as a stark reminder of the sophisticated tactics employed by nation-state actors. Organizations and individuals alike must remain alert to the potential risks associated with even seemingly trustworthy software sources.
ESET’s research into PlushDaemon and the SlowStepper backdoor provides valuable insights for the cybersecurity community.
It enables better detection and prevention strategies against similar attacks in the future while also shedding light on the evolving tactics of China-aligned APT groups.
As investigations continue, cybersecurity experts urge users of IPany VPN and similar services to verify the integrity of their software installations and remain vigilant for any signs of compromise.
Here’s a table summarizing the Indicators of Compromise (IoCs) for the PlushDaemon supply-chain attack:
| SHA-1 | Filename | Detection | Description |
|---|---|---|---|
| A8AE42884A8EDFA17E9D67AE5BEBE7D196C3A7BF | AutoMsg.dll | Win32/ShellcodeRunner.GZ | Initial loader DLL |
| 2DB60F0ADEF14F4AB3573F8309E6FB135F67ED7D | lregdll.dll | Win32/Agent.AGUU | Loader DLL for the SlowStepper backdoor |
| 846C025F696DA1F6808B9101757C005109F3CF3D | OldLJM.dll | Win32/Agent.AGXL | Installer DLL, extracted from EncMgr.pkg and executed in memory |
| AD4F0428FC9290791D550EEDDF171AFF046C4C2C | svcghost.exe | Win32/Agent.AGUU | Process monitor component that launches PerfWatson.exe or RuntimeSvc.exe to side-load lregdll.dll |
| 401571851A7CF71783A4CB902DB81084F0A97F85 | main.dll | Win32/Agent.AEIJ | Decrypted SlowStepper backdoor component |
| 068FD2D209C0BBB0C6FC14E88D63F92441163233 | IPanyVPNsetup.exe | Win32/ShellcodeRunner.GZ | Malicious IPany installer containing SlowStepper implant and legitimate IPany VPN software |
These IoCs provide crucial information for identifying and mitigating the PlushDaemon threat. Security teams should use these file hashes and names to scan their systems and networks for potential compromises.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free