China-aligned attackers known for cyber espionage have launched a supply-chain attack targeting IPany VPN.
A previously undisclosed advanced persistent threat (APT) group, codenamed PlushDaemon by ESET researchers, carried out a supply-chain attack in 2023 on the South Korean company IPany VPN, which develops VPN software.
Researchers who identified the operation in May 2024 said attackers replaced the legitimate NSIS installer for Windows with one that deployed malicious code. "We believe that anyone using the IPany VPN might have been a valid target," ESET says in a blog post.
The victims manually downloaded a ZIP file containing the backdoor, SlowStepper, directly from the VPN's official website. This backdoor hijacks legitimate updates by redirecting traffic to attacker-controlled servers.
Malicious tools written in Python and Go allowed access to extensive amounts of data and spying by recording audio and video. The oldest known version of the SlowStepper backdoor was compiled on January 31st, 2019.
The APT group has been active since at least 2019 and has previously targeted updates on Chinese applications. The APT was also observed conducting espionage operations targeting individuals and organizations in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand.
Since discovering the exploit, the VPN software developer has removed the malicious installer from its website.
Your email address will not be published. Required fields are markedmarked