In a sophisticated cyberespionage operation, the Chinese hacking group PlushDemon has compromised the website of South Korean VPN provider IPany, distributing malware to unsuspecting users. ESET, a leading cybersecurity firm, traced the attack back to PlushDemon, known for its cyber activities since 2019. The breach, uncovered in May 2024, represents a significant supply chain attack, endangering countries such as China, Taiwan, South Korea, and the United States.
ESET’s antivirus software first flagged the malware infections on Windows computers, leading investigators to discover that the website of IPany was the source of the malicious installer. PlushDemon’s SlowStepper backdoor was embedded in the software, enabling secret communication with the hackers’ command and control servers. This compromise of a widely used third-party software allowed PlushDemon to potentially spy on high-value targets.
Impact on High-Value Targets
“Via ESET telemetry, we found that several users attempted to install the trojanized software in the network of a semiconductor company and an unidentified software development company in South Korea,” – ESET
The incident highlights the reach and impact of PlushDemon’s tactics. The earliest cases detected by ESET involved victims from Japan in November 2023 and from China in December 2023. The hacking group exploited the popularity of IPany’s VPN service to distribute their malware across a broad user base.
“Upon further analysis, we discovered that the installer was deploying both the legitimate software and the backdoor that we’ve named SlowStepper,” – ESET
ESET promptly informed IPany about the security breach, leading to the removal of the malicious installer from their website. Despite the quick action taken, the attack may have already facilitated espionage activities against strategic targets in critical industries.
“Therefore, we believe that anyone using the IPany VPN might have been a valid target,” – ESET
PlushDemon’s actions underscore the vulnerability of supply chains in the digital age, as well as the persistent threat posed by state-sponsored hacking groups. The incident serves as a reminder for companies worldwide to bolster cybersecurity measures and remain vigilant against such sophisticated attacks.
What The Author Thinks
PlushDemon’s actions underscore the vulnerability of supply chains in the digital age, as well as the persistent threat posed by state-sponsored hacking groups. The incident serves as a reminder for companies worldwide to bolster cybersecurity measures and remain vigilant against such sophisticated attacks. The need for enhanced security protocols and regular audits of software supply chains has never been more critical, as cybercriminals continue to exploit every available avenue to infiltrate valuable corporate and government networks.
