Full Report
ESET researchers have discovered a supply-chain attack against a VPN provider in South Korea by a new China-aligned APT group we have named PlushDaemon
Analysis Summary
# Threat Actor: PlushDaemon
## Attribution & Identity
* **Identification:** China-aligned Advanced Persistent Threat (APT) group.
* **Aliases/Associations:** Exclusive user of the custom implant 'SlowStepper'.
* **Activity Range:** Active since at least 2019.
## Activity Summary
PlushDaemon is engaged in cyberespionage operations. The article details a 2023 supply-chain compromise of a South Korean VPN software developer (IPany). Attackers replaced the legitimate VPN installer with a malicious version that deployed their signature implant, SlowStepper. The victims appeared to have manually downloaded the trojanized ZIP archive from the IPany website. Telemetry shows attempts to install the trojanized software within the network of a semiconductor company and an unidentified software development company in South Korea. Older telemetry shows victims in Japan (November 2023) and China (December 2023).
## Tactics, Techniques & Procedures
* **Initial Access:** Hijacking legitimate updates of Chinese applications; supply-chain compromise (trojanized VPN installer); gaining access via vulnerabilities in legitimate web servers.
* **Execution/Persistence:** Malicious NSIS installer deploys both legitimate and malicious files. Establishes persistence via a Run key entry (`IPanyVPN`) pointing to `svcghost.exe`. Uses `svcghost.exe` to monitor `PerfWatson.exe` (abused `regcap.exe`) and load the SlowStepper backdoor via side-loading the malicious `lregdll.dll`.
* **Defense Evasion:** Abuse of legitimate process (`regcap.exe`/`PerfWatson.exe`) for DLL side-loading.
* [T1008] Fallback Channels
* [T1071.004] Command and Control: Standard Application Layer Protocol: DNS
* [T1132.001] Data Encoding: Standard Encoding (Base64 encoding retrieved data)
* [T1573.001] Encrypted Channel: Symmetric Cryptography (AES encryption)
* [T1105] Remote File Copy (downloads additional tools from a remote repository)
* [T1104] Multi-Stage Channels (obtaining C2 lists via DNS TXT records, followed by fallback domain resolution).
* [T1095] Standard Non-Application Layer Protocol (TCP communication)
* [T1090] Connection Proxy (using reverse proxies: `agent.mod` and `soc.mod`)
* **Collection:** Includes a Camera tool module (`Camera.mod`) capable of recording videos.
* Collection via Camera Module.
* [T1219] Remote Access Tools (via `Remote.mod` allowing VNC control).
* **Exfiltration:**
* [T1020] Automated Exfiltration
* [T1041] Exfiltration Over C2 Channel
## Targeting
* **Sectors:** Semiconductor industry, Software Development.
* **Geography:** China, Taiwan, Hong Kong, South Korea, United States, and New Zealand. Japan was also reported as a victim location.
* **Victims:** A semiconductor company and an unidentified software development company in South Korea.
## Tools & Infrastructure
* **Malware Families Used:** **SlowStepper** (feature-rich backdoor with over 30 components programmed in C++, Python, and Go). Components include loaders (`AutoMsg.dll`), extractors/deployers (`EncMgr.pkg`), persistence mechanism (`svcghost.exe`), and modules (`Camera.mod`, `Remote.mod`, `agent.mod`, `soc.mod`).
* **Infrastructure:**
* C2 retrieval via DNS TXT record queries, with communication encrypted using AES.
* Fallback C2 IP address obtained by resolving an alternative domain.
* Downloads of supplementary tools from a remote code repository at `GitCode`.
## Implications
PlushDaemon is a sophisticated, espionage-focused actor maintaining a large, modular custom backdoor (SlowStepper). Their willingness to engage in recent, high-impact supply-chain attacks against non-Chinese software vendors (South Korea) indicates a broad and potentially opportunistic espionage mandate. The use of multiple layers of encryption (AES), multi-stage C2 discovery via DNS, and defense evasion techniques suggests a high level of operational security and technical capability.
## Mitigations
* Implement rigorous security vetting and monitoring for third-party software updates, especially supply-chain components (e.g., VPN software installers).
* Monitor for the deployment of custom components within atypical directory structures (`%PUBLIC%\\Documents\\WPSDocuments\\WPSManager\\`).
* Implement heightened detection rules for DNS TXT record queries targeting domains used for C2 discovery.
* Monitor for persistence mechanisms established through Registry Run keys pointing to unexpected executable paths.
* Watch for suspicious side-loading behavior involving legitimate utilities like `regcap.exe` or modules located in uncommon application data paths.
* Monitor for network communication over TCP and DNS/non-standard protocols tailored for C2 traffic using AES encryption.