China-aligned PlushDaemon APT linked to 2023 VPN supply chain attack

China-aligned PlushDaemon APT linked to 2023 VPN supply chain attack

A previously undocumented advanced persistent threat (APT) group, dubbed “PlushDaemon,” has orchestrated a sophisticated supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023, according to a report by Slovakian cybersecurity firm ESET.

The campaign involved the compromise of the installer for the VPN software, which was used to deploy a highly advanced backdoor dubbed ‘SlowStepper.’

The attackers replaced a legitimate installer with a malicious version that not only installed the VPN software but also planted the SlowStepper backdoor, giving the attackers persistent access to infected systems. SlowStepper is described as a toolkit that includes over 30 modules written in a mix of C++, Python, and Go, allowing attackers to execute a wide range of malicious activities on compromised networks.

PlushDaemon is believed to be a China-aligned group, active since at least 2019, with a history of targeting individuals and organizations across China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand. The group is known for hijacking legitimate software update channels and exploiting vulnerabilities in web servers to gain initial access.

ESET's investigation began in May 2024 when the company detected malicious code embedded within a Windows installer for a VPN software, identified as IPany. The compromised installer was available for download from the VPN provider’s website, and was designed to drop both the legitimate software and the SlowStepper implant. Although the rogue installer has since been removed, ESET warned that anyone who had downloaded the infected software may have been at risk.

Telemetry data suggests that several users who attempted to install the infected software were located within networks associated with a semiconductor company and a software development firm in South Korea. The earliest recorded victims were traced to Japan and China in late 2023.

Once the malicious installer ("IPanyVPNsetup.exe") was executed, it would establish persistence on the target machine, even after a reboot. It then loaded a series of DLL files, including AutoMsg.dll and EncMgr.pkg, to run shellcode that further sideloaded additional malicious files like NetNative.pkg and FeatureFlag.pkg and ultimately led to the installation of SlowStepper.

The SlowStepper backdoor, which has been under development since at least January 2019, is equipped with an extensive suite of tools designed for surveillance and data collection. These tools include capabilities for recording audio and video, capturing system information, and executing arbitrary payloads. ESET researchers noted that the backdoor was hosted on GitCode, a Chinese code repository platform.

SlowStepper communicates with its command-and-control (C&C) servers using DNS queries. The backdoor can receive and execute commands, which range from executing Python modules to running arbitrary commands via the command line, deleting files, or downloading and executing additional malicious files.

A distinctive feature of SlowStepper is its custom shell, which enables attackers to upload new payloads, update existing components, and run remote code on infected machines. ESET also discovered additional software programs written in Go within the attackers’ repository that enable reverse proxy and file download functionalities.


Back to the list

Latest Posts

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

The two men arrested in Spain are accused of overseeing the global distribution of Sky ECC devices and software.
12 February 2025
Sandworm APT targets Ukraine with trojanized Microsoft KMS activation tools

Sandworm APT targets Ukraine with trojanized Microsoft KMS activation tools

The attackers utilized a BACKORDER loader to deploy DarkCrystal RAT.
12 February 2025
North Korean Kimsuky adopted a new tactic to infiltrate targets

North Korean Kimsuky adopted a new tactic to infiltrate targets

The new tactic involves the threat actor tricking individuals into executing PowerShell commands as administrators.
12 February 2025