The South Korean VPN provider IPany has found itself at the center of a major cyberattack orchestrated by the PlushDaemon group, allegedly linked to China. The attackers infiltrated the developer’s system and modified the IPanyVPN installer, resulting in users unknowingly downloading and installing a backdoor known as SlowStepper when retrieving the program from the official website.
According to researchers at ESET, the compromise began as early as November 2023 and continued until May 2024, though the precise timeline remains unclear. Experts highlight that the attack was not confined to South Korea, as the first signs of infection were detected in Japan.
After breaching IPany’s developer system, PlushDaemon hackers embedded a malicious component into the executable file IPanyVPNsetup.exe, which was distributed alongside the archive IPanyVPNsetup.zip. Unaware of the danger, users installed both the legitimate VPN application and the malicious code, granting attackers access to their systems.
The malware was designed to embed itself into the Windows registry to ensure it launched automatically at each system startup. Additionally, it employed DLL sideloading techniques to mask its activity and evade detection.
ESET experts noted that the version of SlowStepper used in the attack (designated as 0.2.10 Lite) featured simplified functionality but remained both dangerous and highly covert. Its primary functions included intelligence gathering and advanced espionage, ranging from credential theft to recording audio and video.
Moreover, SlowStepper had the capability to download and execute additional malicious payloads, providing cybercriminals with an extensive toolkit to further compromise infected systems.
Thus far, at least two organizations in South Korea have been confirmed as victims of the attack: a semiconductor company and a software development firm. However, their identities have not been disclosed.
Given that the malicious installer was available for download from IPany’s official website, researchers warn that the attack may have impacted a significantly larger number of users and companies worldwide.
ESET notified IPany of the breach, and the compromised installer was promptly removed from the site. However, experts caution that users who installed the VPN client between November 2023 and spring 2024 may already be infected.
Users who downloaded the software during the affected period are strongly advised to immediately scan their systems for SlowStepper and associated components. If necessary, they should reinstall the VPN client and conduct a thorough security audit, including password changes and a review of critical data.
Although supply chain attacks are becoming increasingly common, the case of IPany stands out due to its use of a multi-faceted malicious tool capable not only of espionage but also of full-scale control over compromised systems.
Cybersecurity researchers urge companies to prioritize the verification and validation of software before making it available to end users. Meanwhile, individual users are advised to exercise caution and utilize modern security tools to defend against such sophisticated threats.
