China-Linked Hackers Target South Korean VPN IPany with Sophisticated Backdoor "SlowStepper
January 22, 2025A recent supply chain attack has targeted IPany, a South Korean VPN provider, by a China-aligned hacking group known as PlushDaemon.
The attackers compromised the legitimate installer of IPany's VPN software, replacing it with a malicious version that deployed a sophisticated backdoor named SlowStepper.
PlushDaemon is recognized for its advanced supply-chain attack techniques, initially gaining access by hijacking legitimate updates of Chinese applications.
The SlowStepper backdoor is capable of extensive data gathering and clandestine surveillance, including audio and video recording, and is hosted on the Chinese platform GitCode.
This malware can collect extensive data from web browsers, take photos, scan for documents, extract information from messaging applications, and steal password credentials.
SlowStepper features a multistage command-and-control protocol via DNS, allowing it to download and execute additional Python modules with espionage capabilities.
The malicious installer was available for download from IPany's official website, indicating a broad potential victim base as any user could have been affected.
Following the discovery of the compromised installer, ESET notified IPany, which subsequently removed the malicious version from its website.
Cybersecurity experts recommend that users of IPany VPN and similar services verify their software installations and remain vigilant for signs of compromise.
The findings from this incident raise serious concerns for internet user security, particularly given the group's ability to remain undetected for an extended period.
Telemetry data revealed attempts to install the malicious software in networks of semiconductor and software development companies in South Korea, with earlier victims in Japan and China.
This incident mirrors a similar warning from Google in January 2025 about VPN apps being exploited to infect devices with malware by a group called Playfulghost.
Summary based on 6 sources
Get a daily email with more Tech stories
Sources
TechRadar pro • Jan 22, 2025
China-linked cyberespionage group PlushDaemon used South Korean VPN service to inject malwareBleepingComputer • Jan 22, 2025
IPany VPN breached in supply-chain attack to push custom malwareThe Hacker News • Jan 22, 2025
PlushDaemon APT Targets South Korean VPN Provider in Supply Chain AttackHelp Net Security • Jan 21, 2025
China-aligned PlushDaemon APT compromises supply chain of Korean VPN - Help Net Security