A China-linked cyberespionage group allegedly exploited a legitimate VPN service to distribute malware and spy on victims’ activities. ESET’s security research team found the malicious code – as well as legitimate software – in the Windows installer of IPany, a South Korean VPN provider.
The PlushDaemon APT group is also known for hijacking legitimate Chinese app updates, but this technically advanced supply chain attack against a trusted Korean VPN company makes the hacking group “a significant threat to watch” , said ESET experts. .
The SlowStepper backdoor
ESET’s new report sheds light on a previously undisclosed China-aligned APT group called PlushDaemon which experts say has been active since at least 2019 – and one of its malicious operations aims to spy on the target’s activities.
To do this, hackers hijacked legitimate Chinese app updates and launched a supply chain attack against South Korean VPN developer IPany. Both involve injecting a malicious backdoor into the device while victims install the software.
Named SlowStepper, the backdoor relies on advanced infrastructure that allows extensive data collection and spying via audio and video recording.
“We did not find any suspicious code on the download page to produce targeted downloads, for example by geolocating targeted regions or specific IP ranges,” the experts explain. “Therefore, we believe that anyone using IPany VPN could have been a valid target.”
You can read the full technical analyzes in the ESET blog here.
Experts contacted the VPN software developer to inform them of the compromise. The company later removed the malicious installer from its website.
Still, ESET’s findings raise concerns about the safety of internet users, especially since the hacking group managed to go unnoticed for so long.
The experts wrote: “The PlushDaemon toolset’s numerous components and rich version history show that, although previously unknown, this China-aligned APT group has worked diligently to develop a wide range of ‘tools, making it a significant threat to watch out for. For.”
Worse still, this is far from the only case in which VPN users – that is, those actively seeking to protect their data online – are the primary target. Google reported a similar threat in early January 2025, warning of how Playfulghost attackers were using VPN apps to infect devices with malware.
I recommend being very careful when downloading new software from the web. If you notice that your device is acting strangely, you should run a malware removal service, if possible, and consider a system reboot to eradicate the potential threat.
