IPany VPN installer carried SlowStepper

IPany was compromised through its normal download path. ESET found malicious code in an NSIS installer downloaded from the legitimate South Korean VPN provider's website in May 2024. The package installed IPany and a backdoor, so the visible product still worked.

ESET attributed the operation to PlushDaemon, a China-aligned group active since at least 2019. The IPany case was one of its supply-chain paths; the group also hijacked updates for Chinese applications by redirecting traffic toward attacker-controlled servers.

The implant was SlowStepper, a PlushDaemon backdoor with a modular toolkit of more than 30 components. Public ESET summaries describe DNS-based multi-stage C2 and broad data collection from compromised machines.

ESET notified the VPN developer, and the malicious installer was removed from the site. The affected public window remains approximate because the installer was discovered in May 2024 and public reporting did not give exact first-hosted and removal times.

Motive

Espionage

Attribution

State

Cause

Website Compromise

Transitive

No

Actor

PlushDaemon

Actor Country

China

• familySlowStepper
• groupPlushDaemon
• fileIPany VPN NSIS installer
• observableInstaller deployed both the legitimate IPany VPN software and SlowStepper.
• observableESET notified the VPN developer and the malicious installer was removed.

• ESET discovers new China-aligned APT group PlushDaemon and its supply-chain attack on South Korean VPN serviceeset.com
• Hackers backdoor South Korean VPN installer with feature-rich malwarebleepingcomputer.com
• PlushDaemon, a China-aligned group, backdoors South Korean VPNwelivesecurity.com