A recent discovery of a Chinese threat group targeting a South Korean VPN developer with a supply chain attack has raised concerns about data collection for cyber-espionage purposes. The group, known as PlushDaemon, was identified by researchers at ESET Research who found that the group typically hijacks legitimate updates of Chinese applications to redirect traffic to attacker-controlled servers.
According to a blog post by ESET researcher Facundo Muñoz, the group has also been observed gaining access through vulnerabilities in legitimate web servers. In a departure from its usual operations, the researchers discovered the group planting malicious code in an NSIS installer for the Windows version of a VPN software developed by the South Korean company IPany. Upon notification, IPany promptly removed the malicious installer from its website.
PlushDaemon has been active since at least 2019, engaging in cyberespionage operations targeting individuals and entities in mainland China, Taiwan, Hong Kong, South Korea, the US, and New Zealand. The group is known for using exclusive malware, including a custom modular backdoor called SlowStepper for Windows that collects various data from infected machines.
The first sign of the supply chain attack occurred in May 2024 when ESET researchers detected malicious code in an NSIS installer for Windows downloaded from the IPany website by users in South Korea. The victims manually downloaded a ZIP archive containing a malicious NSIS installer, leading researchers to believe that anyone using the IPany VPN could have been a target. Further investigations revealed infections in the networks of a semiconductor company and an unidentified software development company in South Korea, as well as older cases from victims in Japan and China.
The payload of the supply chain attack was identified as PlushDaemon’s SlowStepper backdoor, which contains more than 30 modules. In the IPany attack, a “lite” version of the backdoor was used, featuring fewer capabilities than previous and newer versions. The backdoor includes a multistage command-and-control protocol using DNS and is capable of downloading and executing additional Python modules for espionage purposes.
The tools used by PlushDaemon were found in a remote code repository on the Chinese platform GitCode, under the account LetMeGo22. The repository was private at the time of investigation. With the emergence of PlushDaemon and its sophisticated tools, organizations are advised to remain vigilant against cyber threats from China.
President Trump’s recent decision to fire the cyber safety board investigating Chinese cyberattacks on US broadband providers, known as Salt Typhoon, highlights the ongoing challenges posed by state-sponsored threat actors. ESET has provided a link to its GitHub repository containing indicators of compromise and samples of PlushDaemon activity for organizations to utilize in their defense strategies.
In conclusion, the emergence of PlushDaemon highlights the evolving landscape of cyber threats originating from China. With a wide array of tools developed by the group, organizations must enhance their cybersecurity measures to protect against sophisticated and persistent threat actors like PlushDaemon.