A recent supply chain attack has targeted IPany, a South Korean VPN provider, by a China-aligned hacking group known as PlushDaemon.

The attackers compromised the legitimate installer of IPany's VPN software, replacing it with a malicious version that deployed a sophisticated backdoor named SlowStepper.

PlushDaemon is recognized for its advanced supply-chain attack techniques, initially gaining access by hijacking legitimate updates of Chinese applications.

The SlowStepper backdoor is capable of extensive data gathering and clandestine surveillance, including audio and video recording, and is hosted on the Chinese platform GitCode.

This malware can collect extensive data from web browsers, take photos, scan for documents, extract information from messaging applications, and steal password credentials.

SlowStepper features a multistage command-and-control protocol via DNS, allowing it to download and execute additional Python modules with espionage capabilities.

The malicious installer was available for download from IPany's official website, indicating a broad potential victim base as any user could have been affected.

Following the discovery of the compromised installer, ESET notified IPany, which subsequently removed the malicious version from its website.

Cybersecurity experts recommend that users of IPany VPN and similar services verify their software installations and remain vigilant for signs of compromise.

The findings from this incident raise serious concerns for internet user security, particularly given the group's ability to remain undetected for an extended period.

Telemetry data revealed attempts to install the malicious software in networks of semiconductor and software development companies in South Korea, with earlier victims in Japan and China.

This incident mirrors a similar warning from Google in January 2025 about VPN apps being exploited to infect devices with malware by a group called Playfulghost.