PlushDaemon

Description

(ESET) In May 2024, we noticed detections of malicious code in an NSIS installer for Windows that users from South Korea had downloaded from the website of the legitimate VPN software IPany (https://ipany.kr/; see Figure 1), which is developed by a South Korean company. Upon further analysis, we discovered that the installer was deploying both the legitimate software and the backdoor that we’ve named SlowStepper. We contacted the VPN software developer to inform them of the compromise, and the malicious installer was removed from their website.

We attribute this operation to PlushDaemon – a China-aligned threat actor active since at least 2019, engaging in espionage operations against individuals and entities in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand. PlushDaemon uses a custom backdoor that we track as SlowStepper, and its main initial access technique is to hijack legitimate updates by redirecting traffic to attacker-controlled servers. Additionally, we have observed the group gaining access via vulnerabilities in legitimate web servers.

Names

Name	Name-Giver
PlushDaemon	ESET

Country

• China

Motivation

• Information theft and espionage

First Seen

2019

Observed Countries

• China
• Hong Kong
• New Zealand
• South Korea
• Taiwan
• USA

Tools

• SlowStepper

Information

• https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/

Other Information

Uuid

a4ede8f6-c5bf-4791-97d0-f192fc1ae406

Last Card Change

2025-02-22