A China-linked cyberespionage group has reportedly exploited a legitimate VPN service to spread malware and spy on victims’ activities. The ESET security research team found the malicious code – alongside the legitimate software – in the Windows installer of IPany, a South Korean VPN provider.
The so-called PlushDaemon APT group is also known to have hijacked legitimate updates of Chinese applications, but this technical-advanced supply-chain attack against a trustworthy Korean VPN firm makes the hacking group “a significant threat to watch for,” said ESET experts.
The SlowStepper backdoor
ESET’s new report shed light on a previously undisclosed China-aligned APT group so-called PlushDaemon which experts believe to have been active since at least 2019 – and one of its malicious operations aims to spy on the target’s activities.
To do so, hackers have hijacked legitimated updates of Chinese apps and launched a supply-chain attack against South Korean VPN developer IPany. Both involve injecting a malicious backdoor into the device while the victims install the software.
Named SlowStepper, the backdoor is built on an advanced infrastructure that enables extensive data collection and spying through the recording of audio and videos.
“We found no suspicious code on the download page to produce targeted downloads, for example by geofencing to specific targeted regions or IP ranges,” experts explain. “Therefore, we believe that anyone using the IPany VPN might have been a valid target.”
You can read the full technical analyses in the ESET blog post here .
When the malicious IPanyVPNsetup.exe installer is executed, it creates several directories and deploys both legitimate and malicious files. (Image credit: ESET)
Experts contacted the VPN software developer to inform them of the compromise. The company then removed the malicious installer from its website.
Nonetheless, ESET findings raise concerns for internet users’ security, especially considering that the hacking group managed to fly under the radar for so long.
Experts wrote: “The numerous components in the PlushDaemon toolset, and its rich version history, show that, while previously unknown, this China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to watch for.”
Worse still, this is far from the only instance in which VPN users – so, someone actively looking to protect their online data – are the main target. Google reported a similar threat at the beginning of January 2025 warning against how Playfulghost attackers used VPN apps to infect devices with malware.
I recommend being extra careful when downloading new software from the web. If you notice your device acting oddly, you should run a malware removal service, whenever possible, and consider a system reboot to eradicate the potential threat.
