SlowStepper allows attackers to exfiltrate sensitive data, execute commands, and maintain persistence on infected systems, significantly compromising user security.

Notable capabilities of SlowStepper include extensive data collection, remote command execution, and surveillance functions such as audio and video recording.

The first known incidents related to this attack date back to late 2023, with victims identified in Japan and China.

The focus on VPN services is particularly alarming as these tools are critical for securing sensitive communications and data transfers.

The findings raise serious concerns for internet user security, especially given PlushDaemon's ability to remain undetected for an extended period.

A cyberespionage group linked to China, known as PlushDaemon, has exploited a legitimate VPN service, IPany, to distribute malware and spy on users.

ESET's security team discovered the malicious code embedded in the Windows installer for IPany in May 2024, affecting users who downloaded it.

The malicious installer was available for download on IPany's official website, indicating a broad potential victim base beyond specific targets.

This incident serves as a warning that even trusted service providers can fall victim to cyber-attacks, underscoring the importance of vigilance in cybersecurity.

The attackers compromised the installer of IPany's VPN software, replacing it with a malicious version that deployed a backdoor named SlowStepper.

Experts emphasize that PlushDaemon's extensive toolkit and operational history indicate a significant threat, warranting ongoing monitoring.

Cybersecurity experts recommend users of IPany VPN and similar services to verify their software installations and remain vigilant for signs of compromise.