Full Report
PlushDaemon APT hacked South Korean VPN software with SlowStepper backdoor as part of a 2023 espionage campaign
Analysis Summary
# Threat Actor: PlushDaemon APT
## Attribution & Identity
**Identification:** PlushDaemon is a previously undocumented Advanced Persistent Threat (APT) group.
**Attribution:** Confirmed by ESET research to be a **China-linked** group.
**Known Aliases/Groups:** None explicitly mentioned other than PlushDaemon itself. Active since 2019.
## Activity Summary
PlushDaemon conducted a cyber espionage operation in 2023 targeting South Korean VPN software. The group executed a supply chain compromise by replacing legitimate software updates for the South Korean VPN product, *IPany*, with trojanized versions available for download on the developer's website. The goal appears to be extensive surveillance and data collection against impacted entities.
## Tactics, Techniques & Procedures
- **Supply Chain Compromise:** Hijacking legitimate software updates by replacing them with trojanized installers.
- **Persistence Mechanism:** Malicious installer deployed files engineered to ensure the backdoor, SlowStepper, maintained persistence on infected systems.
- **Data Collection & Exfiltration:** SlowStepper features modules for comprehensive data harvesting and exfiltration.
- **Reconnaissance:** Includes network reconnaissance capabilities.
- **Defense Evasion/Operational Security:** Abusing legitimate tools to sideload malicious code.
- **Development Focus:** Toolset shows rich version history, indicating diligent development.
- **Communication:** Used advanced communication methods, including DNS queries, to connect to C2 infrastructure.
**MITRE ATT&CK IDs:** Not specified in the text, but the behavior implies:
* T1195 (Supply Chain Compromise)
* T1059 (Command and Scripting Interpreter - via Python modules)
* T1041 (Exfiltration Over C2 Channel)
## Targeting
- **Sectors:** South Korean semiconductor industry and software industry entities.
- **Geography:** Entities located in South Korea; also targeted individuals in China and Japan.
- **Victims:** Entities in South Korea's semiconductor and software sectors; individuals in China and Japan. The specific compromise cited involved the VPN software *IPany* developed in South Korea.
## Tools & Infrastructure
- **Malware Families Used:** **SlowStepper** (a feature-rich backdoor with over 30 modules).
- **Infrastructure:** Command-and-control (C2) servers communicated with via advanced methods like DNS queries.
- **Tools/Languages:** SlowStepper modules were written in C++, Python, and Go.
## Implications
PlushDaemon represents a significant and sophisticated threat, leveraging supply chain compromises against trusted software vendors to gain access to high-value targets in the tech sector. Their focus on the South Korean technology ecosystem, observed through the IPany compromise, indicates a sustained cyber espionage agenda focused on strategic economic intelligence. The group demonstrates advanced tooling and development maturity.
## Mitigations
- Enhance **Supply Chain Security** protocols to rigorously vet software updates and installations.
- Implement **Proactive Threat Monitoring** to detect unusual system behavior indicative of backdoors like SlowStepper.
- Focus detection efforts on detecting persistent processes and abnormal network communication patterns, particularly **DNS tunneling/queries** used for C2 communications.
- Ensure systems are protected against lateral movement and sensitive data exfiltration techniques employed by advanced C++/Python/Go malware.