Introduction
In late 2023 [2], the advanced persistent threat (APT) group known as PlushDaemon [4] [10], believed to be aligned with Chinese state interests, executed a sophisticated supply-chain attack on the South Korean VPN provider IPany. This incident underscores the increasing prevalence of complex cyberespionage operations targeting critical industries and highlights the urgent need for enhanced supply chain security measures.
Description
In late 2023 [2], the advanced persistent threat (APT) group PlushDaemon [4] [5] [7] [10], which has been active since at least 2019 and is believed to be aligned with Chinese state interests, executed its first observed supply-chain attack against the South Korean VPN provider IPany. This sophisticated cyberespionage operation involved embedding a backdoor known as SlowStepper into the installer of the legitimate VPN software, exploiting user trust in software updates [5]. The malicious code was integrated into an NSIS-based Windows installer available for download from IPany’s official website [2], which contained both the authentic VPN software and the compromised backdoor.
SlowStepper is a feature-rich toolkit developed in C++ with additional modules in Python and Go [2], designed for extensive data collection [8], activity monitoring [5], and persistent access to infected systems. It employs a multistage command-and-control (C&C) protocol that utilizes DNS queries for communication, specifically leveraging Google Public DNS, Alibaba DNS [2], and 114dns.com to resolve attacker-controlled domains [2]. This infrastructure allows the malware to dynamically retrieve an AES-encrypted list of C&C servers, enhancing its resilience against takedowns [2]. The variant used in the IPany VPN compromise is identified as version 0.2.10 Lite [1], which [1] [2] [3] [5] [9], while having fewer features than other versions [1] [3], still includes over 30 modules for espionage purposes.
SlowStepper is capable of gathering extensive data from web browsers, stealing credentials from various applications, and conducting audio and video surveillance [2]. It can scan for sensitive documents and maintain persistence through modifications to the Windows Registry. The attack primarily targeted users in South Korea [2], Japan [1] [2] [3] [4], and China [1] [2] [3] [4] [6], with a particular focus on the semiconductor and software development sectors [2]. ESET researchers detected the malicious code in May 2024 and alerted the VPN developer, leading to the swift removal of the compromised installer from their site. Notably, there was no suspicious code present on the download page [8], indicating that any user of the IPany VPN could have been a potential target [8].
Previous infections linked to this campaign were identified in Japan and China [3], underscoring PlushDaemon’s broader targeting strategy, which also includes regions such as Taiwan, Hong Kong [2] [5] [6], the United States [2] [5] [6], and New Zealand [2] [3] [5] [6]. The diverse components and rich version history of the PlushDaemon toolset indicate that this previously undocumented APT group has been actively developing a wide array of sophisticated malware [6] [9], posing a significant and ongoing threat [1]. This incident highlights the growing trend of sophisticated supply-chain attacks and emphasizes the critical need for robust supply chain security and proactive threat monitoring [4], serving as a reminder of the risks posed by targeted cyber espionage campaigns against vital industries [4]. Organizations and individuals using IPany VPN are advised to reinstall the software from a verified clean source and monitor for signs of SlowStepper on their systems [2].
Conclusion
The PlushDaemon attack on IPany serves as a stark reminder of the vulnerabilities inherent in software supply chains. The incident not only affected users in South Korea, Japan [1] [2] [3] [4], and China but also highlighted the broader targeting strategy of the APT group, which extends to regions such as Taiwan, Hong Kong [2] [5] [6], the United States [2] [5] [6], and New Zealand [2] [3] [5] [6]. This attack underscores the necessity for organizations to implement robust supply chain security measures and engage in proactive threat monitoring. As cyberespionage campaigns become increasingly sophisticated, it is imperative for industries to remain vigilant and prepared to counteract such threats. Organizations and individuals using IPany VPN are strongly advised to reinstall the software from a verified clean source and continuously monitor their systems for any signs of SlowStepper or similar threats.
References
[1] https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/
[2] https://cyberinsider.com/ipany-vpn-breached-by-hackers-planting-backdoor-on-installer/
[3] https://www.darkreading.com/threat-intelligence/chinese-cyberspies-target-south-korean-vpn-supply-chain-attack
[4] https://www.infosecurity-magazine.com/news/plushdaemon-apt-targeted-south/
[5] https://www.cyclonis.com/remove-plushdaemon-apt-group/
[6] https://www.helpnetsecurity.com/2025/01/22/plushdaemon-apt-slowstepper-supply-chain-compromise/
[7] https://blog.eset.ie/2025/01/22/eset-discovers-new-apt-group-and-its-supply-chain-attack-on-south-korean-vpn-service/
[8] https://www.techradar.com/vpn/china-linked-cyberespionage-group-plushdaemon-used-south-korean-vpn-service-to-inject-malware
[9] https://www.eset.com/us/about/newsroom/press-releases/eset-discovers-new-china-aligned-apt-group-plushdaemon-and-its-supply-chain-attack-on-south-korean-vpn-service/
[10] https://cyber.vumetric.com/security-news/2025/01/22/plushdaemon-apt-targets-south-korean-vpn-provider-in-supply-chain-attack/
