Supply chain of Korean VPN service compromised

Jan. 22, 2025, 7:17 p.m.

Description

ESET researchers have uncovered a supply-chain attack against a South Korean VPN provider by a previously unknown China-aligned APT group named PlushDaemon. The attackers replaced the legitimate VPN installer with a malicious version that deployed their SlowStepper backdoor, a feature-rich implant with over 30 components. PlushDaemon has been active since at least 2019, targeting entities in China, Taiwan, Hong Kong, South Korea, the US, and New Zealand. The group's main initial access vector is hijacking legitimate updates of Chinese applications. SlowStepper uses a multi-stage C&C protocol involving DNS queries and has an extensive toolkit of Python and Go modules for data collection and espionage.

External References

https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/
https://otx.alienvault.com/pulse/679103827bba017bd11337f8
Tags
backdoor
supply-chain
apt
espionage
china
south korea
vpn
2025-01-22
slowstepper

Date

  • Created: Jan. 22, 2025, 2:41 p.m.
  • Published: Jan. 22, 2025, 2:41 p.m.
  • Modified: Jan. 22, 2025, 7:17 p.m.

Attack Patterns

  • SlowStepper
  • PlushDaemon

Additional Informations

  • Semiconductor
  • Technology
  • New Zealand
  • Hong Kong
  • Taiwan
  • China
  • Japan
  • United States of America