PlushDaemon APT: A Deep Dive into the Supply Chain Attack on IPanyVPN

‍ESET researchers have uncovered a cyberespionage campaign linked to a previously undocumented China-aligned advanced persistent threat (APT) group called PlushDaemon. This campaign involved a supply chain attack on a South Korean virtual private network (VPN) provider in 2023.

‍

The attackers compromised the legitimate installer of the VPN software and replaced it with a malicious version. When naive users downloaded and installed this software, it not only installed the legitimate VPN but also deployed SlowStepper, a sophisticated backdoor developed by PlushDaemon. This backdoor is designed for long-term espionage and includes a toolkit with over 30 components, allowing attackers to execute various malicious operations on infected systems.

‍

PlushDaemon has been conducting cyberespionage against individuals and organizations across multiple regions, including China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand.

The compromised installer was hosted on the official website of IPany VPN (https://ipany.kr/) as a downloadable ZIP archive. Upon investigation, ESET found that the installer contained no additional mechanisms (such as geofencing) to restrict downloads to specific targets.
‍

It indicates that the software could have compromised anyone who downloaded and installed it.

‍

The earliest recorded infections as recorded:

• November 2023 – A victim in Japan
• December 2023 – A victim in China

Technical Analysis

‍

ESET researchers identified a trojanized version of IPanyVPNsetup.exe, which deploys legitimate VPN software and malicious payloads upon execution. The malware follows a structured infection chain to establish persistence and execute the SlowStepper backdoor.

‍

Step 1: Creating a Home for Malicious Files

‍

Upon execution, the installer creates multiple directories to store the legitimate and malicious files. These directories serve as staging areas for subsequent payloads, ensuring that the malware has the necessary components for execution and persistence.

‍

Step 2: Making Sure It Stays—Persistence Mechanism

‍

For automatic execution at system startup, the installer modifies the Windows Registry by adding an entry under the Run key. The entry is named IPanyVPN and points to the following executable:

The presence of svcghost.exe ensures that it runs every time the system starts, which helps the malware stay active even after a reboot. This executable is deployed by another component called EncMgr.pkg.

‍

A deep investigation of the file IPvpnany.exe reveals several concerning characteristics, including malware-like behavior, persistence mechanisms, and communication with potentially malicious domains and IP addresses.

‍

Intezer Analysis Findings

‍

Upon analyzing the file with Intezer, the results indicate that:

• 70% of the code is linked to an NSIS installer, a common format for software installers but also frequently abused for distributing malware.
• A total of 32 code fragments and 27 code samples were identified, clearly indicating that portions of the code have been previously observed in other samples. This strongly suggests a shared malware lineage. Additionally, the file behavior matches MITRE ATT&CK techniques, particularly:
  1. Boot or Logon Autostart Execution
     • Uses Registry Run Keys / Startup Folder for persistence, ensuring execution on system startup.
  2. Impair Defenses - Disable or Modify Tools
     • Modifies system defenses, likely attempting to bypass security mechanisms.
  3. Modify Registry for Defensive Evasion
     • Alters registry values, possibly to avoid detection or maintain control over the system.

VirusTotal Detection & Network Activity

A scan on VirusTotal confirms the file’s malicious nature, with 56 antivirus engines flagging it as a threat.

‍

The file was also observed communicating with multiple domains and IP addresses, including:

• 10 contacted domains, out of which four are confirmed malicious:
  
  • 7051.gsm.360safe.company (known for hosting malware-related content)
  • ipany.kr (potential C2 server or exfiltration endpoint)
  • ipinfo.io (a legitimate IP lookup service, often abused by malware to check geolocation)
  • res.public.onecdn.static.microsoft (potentially impersonating Microsoft’s CDN for malicious intent)

Additionally, the network analysis identified two malicious IP addresses:

• 114.114.114.114 (Previously reported for malware distribution and suspicious activity)
• 103.28.8.82 (Associated with various malicious campaigns)

Step 3: The First Piece—AutoMsg.dll

‍

The first malicious component executed is AutoMsg.dll, which is an initial loader. Its primary function is to launch svcghost.exe using the ShellExecute API. Once this task is completed, AutoMsg.dll terminates its process to avoid detection.

VirusTotal Detection & Parent Relationship

‍

The file automsg.dll has been identified as malicious, with 50 detections on VirusTotal, indicating widespread recognition among antivirus engines.

‍

Additionally, automsg.dll has ties to two executed parent files:

1. IPVPNsetup.zip
2. IPVPNsetup.any

Intezer Analysis Findings

• 92% code resemblance to ShellcodeRunner
  
  • ShellcodeRunner is a tool used in malware development to execute arbitrary shellcodes in memory.
  • This high resemblance suggests that automsg.dll may contain embedded shellcode execution techniques, likely used for fileless malware execution or code injection.

• 44.94% code similarity to SlowStepper
  
  • SlowStepper is associated with stealthy, long-term persistence techniques and sandbox evasion.
  • This similarity suggests that automsg.dll may employ anti-analysis techniques, delaying execution or detecting virtualized environments.

Step 4: The Watchdog—svcghost.exe

‍

The svcghost.exe component plays a key role in maintaining the presence of the SlowStepper backdoor. It does this by monitoring the execution of PerfWatson.exe—a legitimate Windows process originally intended for performance diagnostics.

• If PerfWatson.exe is not actively running, svcghost.exe takes immediate action to restart it. In a clever maneuver, the attackers repurposed a legitimate Microsoft utility, regcap.exe, renaming it as PerfWatson.exe to enable DLL side-loading, showcasing their sophisticated methods of evasion.
• The malicious DLL, lregdll.dll, is loaded through this method to execute the SlowStepper backdoor, hidden within a file named winlogin.gif.

A critical aspect of the svcghost.exe is its relationship with 10 execution parents, suggesting it is part of a larger attack chain, potentially acting as a payload or persistence mechanism. The multiple execution parents imply that this file may have been delivered through various droppers, installers, or loaders, apart from this Intezer Analysis& code similarity with 87% code resemblance to the SlowStepper backdoor.

The Intezer analysis shows that the code sample matches with a 91% resemblance to the SlowStepper backdoor. The Virustotal Detection & Network Communication shows that 49 antivirus engines flagged the file as malicious, confirming its potential threat level.
‍

The file was observed communicating with four malicious IP addresses, likely for Command & Control (C2), data exfiltration, or additional payload delivery. It was also found that the execution parent is the IPanyVPNsetup.zip.
‍

Upon execution, rundll32.exe was launched 28 times, indicating DLL side-loading or process injection. This could mean the malware is using rundll32.exe as a LOLBin (Living Off the Land Binary) to execute malicious code stealthily, making detection harder.

Step 5: Listening for Shutdown Signals

‍

To maintain control over the infected system, svcghost.exe creates a nameless window that listens for specific system message:

• WM_CLOSE – Triggered when a program is closed.
• WM_QUERYENDSESSION – Indicates the system is preparing to shut down.
• WM_ENDSESSION – Signals that a user session is ending.

When any of these messages are received, the malware attempts to re-establish persistence, depending on the permissions of the current process.

‍

SlowStepper Backdoor: Technical Analysis and Evolution

‍

SlowStepper is a C++-based backdoor that heavily incorporates object-oriented programming (OOP) in its command-and-control (C&C) communications code. The backdoor consists of hundreds of functions, indicating a complex and well-maintained codebase.

‍

In the supply chain attack on IPany VPN, the variant identified was SlowStepper v0.2.10 Lite, as noted in its internal code. This "Lite" version features a reduced functionality set compared to both older and newer versions, suggesting that it may have been optimized for stealth or specific operational needs.

‍

The oldest known variant of SlowStepper is v0.1.7, while the most recent version observed is v0.2.12. The iterative versioning suggests continuous development, likely incorporating new capabilities while refining existing features.

‍

Both the full and Lite versions of SlowStepper leverage a suite of tools written in Python and Go. These tools provide:

• Comprehensive data collection from infected systems
• Surveillance capabilities, including audio and video recording

The toolset was stored in a remote code repository on GitCode, a Chinese development platform. The repository was linked to an account named LetMeGo22, reinforcing potential ties to a China-aligned threat actor.

Conclusion 

‍

The discovery of PlushDaemon, a previously undocumented China-aligned APT group, underscores the growing sophistication of state-sponsored cyber espionage operations. The group’s successful compromise of IPany VPN through a supply chain attack highlights the persistent threat posed to software vendors and their users, particularly in regions of strategic interest such as South Korea, Taiwan, China, Japan, and the United States.

‍

At the heart of this attack was SlowStepper, a highly modular C++-based backdoor designed for long-term espionage and stealthy data exfiltration. With its ability to establish persistence, monitor system processes, and leverage a suite of Python and Go-based tools, the malware provided the attackers with a robust platform for covert surveillance and data collection. The fact that these tools were hosted on the Chinese platform GitCode further suggests an organized and well-resourced threat actor.

‍

This incident highlights the dangers of supply chain compromises, where legitimate software updates and installers can become vehicles for malware distribution. Organizations relying on third-party software—especially security tools like VPNs—must remain vigilant, ensuring that downloaded installers are verified for authenticity.

‍

Stay ahead of evolving cyber threats with proactive security measures. Request a demo with Reco to protect your organization today.