Chinese-linked hackers (via ESET Research) have reportedly compromised South Korean VPN provider IPany in a calculated supply chain attack that exposed numerous users to malware. The attackers infiltrated IPany’s software development pipeline, injecting malicious code into the NSIS installer for its Windows-based VPN application.
This sophisticated operation enabled the distribution of a custom backdoor, known as "SlowStepper," to unsuspecting users. It is another high-profile example of supply chain vulnerabilities being exploited for cyber espionage.
The breach was initially uncovered in May 2024 by researchers from Slovak-based cybersecurity firm ESET revealed the breach in May 2024. They identified the altered installer being served directly from IPany’s official website. The attackers tampered with the installer to include the SlowStepper backdoor. This modular malware allows attackers to exfiltrate sensitive data, execute commands, and maintain long-term persistence on compromised systems. Users downloading what appeared to be legitimate software updates inadvertently exposed their systems to the backdoor, granting the attackers significant control over their devices.
"The victims appear to have manually downloaded a ZIP archive containing a malicious NSIS installer from the URL https://ipany[.]kr/download/IPanyVPNsetup.zip," said ESET researcher Facundo Muñoz in the blog post.
The group behind this attack, PlushDaemon, is a Chinese advanced persistent threat (APT) actor that has been active since at least 2019. PlushDaemon is known for hijacking legitimate software distribution channels to deliver malicious payloads. In this case, they accessed IPany’s software repository, altered the installer, and ensured it was distributed through official channels. Their tactics include redirecting legitimate traffic to attacker-controlled servers to deliver malicious updates, a hallmark of supply chain compromise.
China has several active APT groups engaged in persistent cyber espionage against the US and its allies. Recently, Chinese APT Salt Typhoon infiltrated US broadband provider networks, but the investigation faced setbacks when President Trump fired the cyber safety board overseeing it.
Meanwhile, the emergence of PlushDaemon, a new and sophisticated China-aligned APT group with a diverse toolset and a long operational history, highlights the growing cyber threat. Experts urge organizations to remain vigilant against increasingly advanced malicious activity. The breach at IPany is also a stark reminder that even widely trusted providers are vulnerable to cyber-attacks, necessitating a proactive approach to security.
