IPany VPN - isotope¹³

Incident Summary

South Korean IPany VPN installer backdoored.

The legitimate installer for IPany VPN, a South Korean VPN provider, available on their official website was replaced with a malicious version. This trojanized installer deployed both the legitimate VPN software and the SlowStepper backdoor, used by the PlushDaemon APT group (suspected China-aligned) for espionage.

Date: 2024-05-01 to 2024-05-31
Category: Commercial
Target Surface: Distribution
Insertion Phase: distribution
Impact: Backdoor
Cause: Website compromise

What Was Affected

Package IPany VPN

LanguagePython

ComponentApplication

Artifact typebinary archive

Domain typeproject download host

Domain ipany.co.kr

Compromised Versions

Specific NSIS installer version available on ipany.co.kr during the compromise period in May 2024.

Incident Context

Motive: Espionage
Attribution: Nation-state
Transitive: No
Observed Duration: 30 days

Evidence

Compromised Artifacts

Trojanized NSIS installer for IPany VPN, downloaded from ipany.co.kr during May 2024.

Current Artifacts and Analysis

Indicators and Changes

Hashes

sha1:33a239a061f8194195125e51e43051594df3e93a

External References

bleepingcomputer.com/news/security/hackers-backdoor-south-korean-vpn-installer-with-feature-rich-malware

Source Data

Source record: proprietary/ipany/meta.yaml