Chinese APT Targets Korean VPN in Supply Chain Attack

A newly discovered Chinese threat group has targeted a South Korean VPN developer with a supply chain attack aimed at deploying a custom backdoor to collect data for cyber-espionage purposes.

The group, dubbed PlushDaemon by the researchers at ESET Research who discovered it, typically aims to hijack legitimate updates of Chinese applications in its malicious operations “by redirecting traffic to attacker-controlled servers,” according to a blog post by ESET researcher Facundo Muñoz published on Jan. 22. “Additionally, we have observed the group gaining access via vulnerabilities in legitimate web servers,” he wrote.

However, the researchers also discovered the group in May 2024 planting malicious code in an NSIS installer for the Windows version of the VPN software of South Korean company IPany, representing a departure from its typical operations, they said. ESET notified IPany and the malicious installer was removed from the company’s website.

PlushDaemon has been active since at least 2019, engaging in cyberespionage operations against individuals and entities in mainland China, Taiwan, Hong Kong, South Korea, the US, and New Zealand. The group is the exclusive user of several types of malware in its malicious activities, mostly notably a custom, modular backdoor for collecting various data from infected machines, called SlowStepper for Windows, according to ESET.

Atypical Supply-Chain Attack

The first sign of the supply-chain attack came in May 2024, when ESET researchers noticed detections of malicious code in an NSIS installer for Windows that users from South Korea had downloaded from the IPany website.

“The victims appear to have manually downloaded a ZIP archive containing a malicious NSIS installer from the URL https://ipany[.]kr/download/IPanyVPNsetup.zip,” Muñoz wrote. However, the researchers didn’t find suspicious code on the download page “to produce targeted downloads, for example by geofencing to specific targeted regions or IP ranges.” This led them to believe that “anyone using the IPany VPN might have been a valid target.”

Several users attempted to install the Trojanized software in the network of a semiconductor company and an unidentified software development company in South Korea. Further research found even older cases of infection via the campaign, with the two oldest coming from a victim in Japan in November 2023 and a victim in China in December 2023, the researchers said.

SlowStepper Backdoor

The payload in the supply chain attack is PlushDaemon’s own SlowStepper backdoor, which has more than 30 modules. However, the group used a “lite” version of the backdoor in the IPany attack, which contains fewer features than other previous and newer versions, the researchers said.

The backdoor features a multistage command-and-control (C2) protocol using DNS, and is known for its ability to download and execute dozens of additional Python modules with espionage capabilities.

“Both the full and Lite versions make use of an array of tools programmed in Python and Go, which include capabilities for extensive collection of data, and spying through recording of audio and videos,” Muñoz wrote.

The researchers found PlushDaemon’s tools stored in a remote code repository hosted on the Chinese platform GitCode, under the LetMeGo22 account. At the time of writing, the profile was private.

Another Chinese APT Emerges

China already has a raft of known and active APTs that regularly and persistently engage in cyberespionage activities against the US and its allies. One of the most notable operations of late was the infiltration of US broadband provider networks by Chinese APT Salt Typhoon; however, the investigation into that incident was dealt a significant blow on Jan. 21, when President Trump, on his second day back in office, fired the cyber safety board looking into it.

However, with a new, sophisticated actor like PlushDaemon now emerging from the shadows, organizations need to be more vigilant than ever against malicious cyber activity from China, Muñoz said.

“The numerous components in the PlushDaemon toolset and its rich version history show that, while previously unknown, this China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to watch for,” he wrote.

To that end, ESET included a link to its GitHub repository that contains a comprehensive list of indicators of compromise (IoCs) and samples of PlushDaemon activity.