Full Report
A previously undocumented China-aligned advanced persistent threat (APT) group named PlushDaemon has been linked to a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023, according to new findings from ESET. "The attackers replaced the legitimate installer with one that also deployed the group's signature implant that we have named SlowStepper – a
Analysis Summary
# Threat Actor: PlushDaemon
## Attribution & Identity
* **Identification:** Previously undocumented China-aligned Advanced Persistent Threat (APT) group.
* **Aliases:** None explicitly mentioned, though the activity is attributed to this name.
* **Associations:** Assessed to be China-nexus. Operational since at least 2019.
## Activity Summary
* **Recent Campaign (2023-2024):** Linked to a supply chain attack targeting a South Korean Virtual Private Network (VPN) provider named **IPany** ($ipany\[.\]kr$).
* **Method:** Attackers replaced the legitimate Windows installer for IPany VPN software ($IPanyVPNsetup.zip$) with a trojanized version. This rogue installer deployed the group's signature implant, **SlowStepper**.
* **Timeline:** The oldest victim telemetry dates back to November and December 2023 (Japan and China). The malicious code in the installer was identified in May 2024.
* **Initial Access:** Hijacking legitimate software update channels and exploiting vulnerabilities in web servers.
## Tactics, Techniques & Procedures
* **Initial Execution:** Execution of the installer ($IPanyVPNsetup.exe$) which loads malicious components via DLL sideloading.
* **Persistence:** Establishing persistence on the host between reboots.
* **DLL Sideloading:** Using $AutoMsg.dll$ to load shellcode, which loads $EncMgr.pkg$ which extracts files to sideload $lregdll.dll$ using **PerfWatson.exe** (a renamed legitimate utility $regcap.exe$ from Microsoft Visual Studio).
* **Implant Loading:** Loading the final **SlowStepper** implant from the $winlogin.gif$ file.
* **Command and Control (C2):** Multi-stage C&C protocol relying heavily on DNS TXT records ($7051.gsm.360safe\[.\]company$) queried from public DNS servers (114DNS, Google, Alibaba) to fetch an IP address array. Fallback C&C uses $gethostbyname API$ on $st.360safe\[.\]company$.
* **Remote Execution & Payload Delivery:** The backdoor allows for remote execution of custom shell commands (e.g., $gcall$ for arbitrary payloads), updating components ($update$), and executing Python modules ($pycall$).
* **Data Exfiltration/Espionage:** Execution of numerous Python modules for surveillance and data gathering.
* *Modules listed:* Browser (Chrome, Edge, Firefox, etc.), Camera (photo capture), CollectInfo (documents, WeChat, QQ, WPS), Location, ScreenRecord, Telegram, WirelessKey harvesting, and multiple password/cookie harvesting modules ($qqpass$, $Webpass$, $getOperaCookie$).
## Targeting
* **Sectors:** Semiconductor company, unidentified software development company.
* **Geography:** China, Taiwan, Hong Kong, South Korea, United States, and New Zealand.
* **Victims:** IPany VPN service users; specific networks in South Korea associated with a semiconductor company and software developer were observed attempting to install the malware. Victims also recorded in Japan and China (late 2023).
## Tools & Infrastructure
* **Malware Families Used:** **SlowStepper** (feature-rich, multi-component backdoor developed since 2019, written in C++, Python, and Go).
* **Infrastructure (C&C):**
* DNS Query Domain: $7051.gsm.360safe\[.\]company$
* Fallback C&C Domain: $st.360safe\[.\]company$
* Repository for Python Modules: Chinese code repository platform **GitCode** ($gitcode\[.\]net/LetMeGo22/$).
* **Codebase:** Tools written in Python and Go, including reverse proxy and download utilities.
## Implications
PlushDaemon represents a significant and diligently developed threat, evidenced by the extensive feature history of the SlowStepper implant and its complex, multi-stage C&C mechanism utilizing DNS. The focus on supply chain compromise demonstrates a mature capability to infiltrate established vendor software update channels to reach downstream targets, potentially impacting critical infrastructure and technology firms across East Asia and globally.
## Mitigations
* Implement rigorous monitoring and analysis of legitimate application installers for any unusual file drops or process injection activity.
* Review outbound DNS queries, particularly those targeting public resolvers for TXT records, as a potential indicator of C&C beaconing.
* Scan software repositories (like GitCode) for suspicious code associated with identified threat actor infrastructure.
* Ensure endpoint detection and response (EDR) solutions are configured to detect suspicious DLL sideloading techniques, especially involving renaming legitimate utilities ($regcap.exe$) for malicious purposes.
* Review network ingress/egress policies to strictly control communication pathways, limiting outbound DNS queries where possible.