ESET has uncovered a previously unknown APT group called PlushDaemon, regarded as China-aligned, which executed a supply chain attack against a South Korean VPN provider known as IPany in 2023. The attackers utilized a compromised NSIS installer for Windows that deployed a backdoor, SlowStepper, featuring a comprehensive toolkit of around 30 components crafted in multiple programming languages. Their tactics include exploiting software update channels and web server vulnerabilities to infiltrate networks, impacting users linked to various enterprises, including semiconductor and software development sectors. The ultimate targets of this attack remain unclear, posing risks globally.
A previously undocumented China-aligned advanced persistent threat (APT) group named PlushDaemon has been linked to a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023.
The attackers replaced the legitimate installer with one that also deployed the group's signature implant that we have named SlowStepper - a feature-rich backdoor with a toolkit of more than 30 components.
Another crucial aspect of its attacks is the hijacking of legitimate software update channels and exploitation of vulnerabilities in web servers to gain initial access to the target network.
Telemetry data gathered by ESET shows that several users attempted to install the trojanized software in the networks associated with a semiconductor company and an unidentified software development company in South Korea.
Collection
[
|
...
]