New Chinese cyberespionage campaign targeted South Korean VPN service

Organizations across East Asia, including a semiconductor firm and software development company in South Korea and others in China and Japan, have been targeted by newly discovered Chinese advanced persistent threat operation PlushDaemon with the SlowStepper malware in a cyberespionage intrusion involving a malicious installer for South Korean VPN provider IPany, according to The Hacker News.

Execution of the trojanized installer — which took the place of IPany's legitimate one following a supply chain attack by PlushDaemon in 2023 — triggers deployment of a loader with another DLL eventually resulting in the running of SlowStepper, which supports commands enabling extensive system info theft, file deletion, Python module execution, and self-deletion, an analysis from ESET revealed. "The numerous components in the PlushDaemon toolset, and its rich version history, show that, while previously unknown, this China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to watch for," said ESET.