A China-linked cyber espionage group has reportedly exploited a legitimate VPN service to spread malware and spy on victims’ activities. ESET’s security research team found the malicious code (along with legitimate software) in the Windows installer from IPany, a South Korean VPN provider.
The so-called PlushDaemon APT group is also known to have hijacked legitimate Chinese app updates, but this technically advanced supply chain attack against a trusted Korean VPN company makes the hacking group “a significant threat to address.” pay attention,” said ESET experts. .
SlowStepper’s Back Door
ESET’s new report sheds light on a previously undisclosed China-aligned APT group called PlushDaemon, which experts believe has been active since at least 2019, and one of its malicious operations aims to spy on the target’s activities.
To do so, hackers hijacked legitimate Chinese app updates and launched a supply chain attack against South Korean VPN developer IPany. Both involve injecting a malicious backdoor into the device while victims install the software.
The backdoor, called SlowStepper, is based on advanced infrastructure that allows extensive data collection and espionage through audio and video recording.
“We did not find any suspicious code on the download page to perform specific downloads, for example by geofencing specific regions or IP ranges,” the experts explain. “Therefore, we believe that anyone who used IPany VPN could have been a valid target.”
You can read the full technical analyzes in the ESET blog post here.
The experts contacted the developer of the VPN software to inform them of the compromise. The company then removed the malicious installer from its website.
However, ESET’s findings raise concerns for the safety of Internet users, especially considering that the hacking group managed to go undetected for so long.
The experts wrote: “The numerous components of the PlushDaemon toolset and its rich version history show that, although unknown until now, this China-aligned APT group has been operating diligently to develop a wide range of tools, making it a significant threat to be taken into account.”
Worse yet, this is far from the only case where VPN users (i.e. someone actively seeking to protect their data online) are the primary target. Google reported a similar threat in early January 2025 warning about how Playfulghost attackers used VPN apps to infect devices with malware.
I recommend being very careful when downloading new software from the web. If you notice your device acting strangely, you should run a malware removal service, whenever possible, and consider rebooting the system to eradicate the potential threat.
