A newly discovered China-aligned advanced persistent threat group, dubbed PlushDaemon, has been linked to a supply chain attack against a South Korean VPN service provider, highlighting the escalating risks facing the cryptocurrency and broader technology ecosystem. Uncovered by ESET researchers on January 22, 2025, the operation reveals how state-sponsored threat actors continue to exploit trusted software distribution channels to deploy sophisticated surveillance tools.
The Exploit Mechanics
The attack centered on IPany, a legitimate VPN service developed by a South Korean company and distributed through the website ipany.kr. PlushDaemon operators replaced the legitimate VPN installer with a trojanized NSIS installer packaged inside a ZIP archive called IPanyVPNsetup.zip. When users downloaded and executed the installer, it deployed both the legitimate VPN software and a feature-rich backdoor that ESET has named SlowStepper.
The SlowStepper implant is remarkably comprehensive, featuring a toolkit composed of more than 30 modules programmed in C++, Python, and Go. This multi-language architecture suggests a well-resourced development team with diverse capabilities. The backdoor establishes persistence on compromised systems and provides operators with extensive surveillance and data exfiltration capabilities.
Affected Systems
Through ESET telemetry, researchers identified several victims who installed the trojanized software, including systems within a semiconductor company and an unidentified software development firm in South Korea. The oldest detected cases date back to November 2023 in Japan and December 2023 in China, indicating the campaign has been active for well over a year before discovery.
PlushDaemon has been active since at least 2019, conducting espionage operations against individuals and entities in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand. The group primarily gains initial access by hijacking legitimate software updates, redirecting traffic to attacker-controlled servers. They have also been observed exploiting vulnerabilities in legitimate web servers to establish a foothold.
The Mitigation Strategy
ESET contacted the VPN software developer directly after discovering the compromise, and the malicious installer was promptly removed from the IPany website. Organizations can protect themselves by verifying software integrity through cryptographic hash checks before installation, implementing application whitelisting policies, and maintaining robust endpoint detection and response solutions that can identify suspicious installer behavior.
For cryptocurrency users and exchanges, this incident underscores the importance of downloading wallet software and security tools exclusively from verified official sources. Supply chain attacks represent one of the most dangerous threat vectors because they exploit inherent trust in established software vendors.
Lessons Learned
The PlushDaemon campaign demonstrates that supply chain attacks continue to evolve in sophistication. The use of a legitimate VPN installer as a delivery mechanism is particularly concerning for privacy-conscious users who actively seek out VPN solutions. The multi-year operational timeline suggests patient, well-funded threat actors with specific intelligence collection objectives.
User Action Required
Anyone who downloaded IPany VPN software between late 2023 and May 2024 should conduct a full system audit and check for indicators of compromise associated with SlowStepper. Organizations should review their software supply chain security policies, ensure multi-factor authentication is enabled on all critical accounts, and consider implementing behavioral analytics to detect anomalous processes running alongside legitimate applications. As Bitcoin trades near $103,653 and the broader crypto market continues to attract institutional capital, the threat landscape targeting digital asset infrastructure grows proportionally more complex.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with qualified security professionals.
trojanized NSIS installer from the official site. this is why reproducible builds matter
supply chain attacks are getting wild. 30+ modules in one backdoor is insane
30+ modules in C++, Python, and Go. this is nation-state level engineering, not some random ransomware crew
C++, Python, and Go in one implant means this team has serious talent. China aligned APT with that kind of multi-language capability is concerning for crypto infrastructure
30 modules across three languages means a dedicated team with QA and testing pipelines. this isnt a side project, its a full intelligence operation
SlowStepper having 30+ modules across three languages is wild. most ransomware crews barely manage clean C++ and these operators are running a full dev shop
the fact it came from the official site makes this so much worse. how do you even protect against that
you protect against supply chain attacks by verifying signatures independently and not trusting the download page. ESET caught this one, the next one might go unnoticed
signature verification only works if the signing key itself isnt compromised. if they replaced the installer they could have replaced the signature too
exactly why i verify checksums for everything now. took me one close call to learn
nobody verifies signatures though. like actually nobody. even most devs just download and run. reproducible builds would solve this but adoption is near zero
IPany replaced the installer on their own site and nobody noticed for weeks probably. supply chain attacks work because nobody checks checksums until its too late