A cyberespionage group linked to China has been found exploiting a legitimate VPN service to distribute malware and conduct surveillance on victims. The group, known as PlushDaemon APT, was discovered by ESET security researchers who identified the malicious code hidden within the Windows installer of IPany, a South Korean VPN provider. This sophisticated supply-chain attack highlights the group’s ability to compromise trustworthy software.
One of the malware identified is the SlowStepper backdoor, which enables extensive data collection and spying by recording audio and videos on the victim’s device. Despite no targeted downloads detected, experts believe that anyone using the IPany VPN could have been at risk. ESET notified the VPN developer, who promptly removed the compromised installer from their website.
The revelation of the PlushDaemon APT group sheds light on a previously unknown threat to cybersecurity. Their extensive toolset and history of operations indicate a significant risk, especially considering their ability to evade detection for an extended period. Internet users, particularly VPN users, are urged to exercise caution when downloading software online and to promptly address any suspicious activity on their devices.