South Korean VPN provider IPany fell victim to a supply chain attack orchestrated by the China-aligned hacking group "PlushDaemon." The attackers compromised IPany's VPN installer, embedding a custom malware named 'SlowStepper' into the installer file, affecting customers upon installation.

ESET researchers discovered that the attackers infiltrated IPany's development platform and modified the installer file ('IPanyVPNsetup.exe') to include the SlowStepper backdoor. Customers downloading the VPN's ZIP installer ('IPanyVPNsetup.zip') from the company's official website between November 2023 and May 2024 were impacted. Victims include a South Korean semiconductor firm and a software development company, with the first signs of infections reported in Japan.

When executed, the installer deploys the legitimate VPN alongside malicious files like 'svcghost.exe,' which ensures persistence by creating a Registry Run key. The SlowStepper payload is concealed within an image file ('winlogin.gif') and loaded through a malicious DLL ('lregdll.dll') into the 'PerfWatson.exe' process. The executable monitors this process to keep it operational.

ESET reports that the Lite version 0.2.10 of SlowStepper was used in this attack, designed for stealth with a smaller footprint while maintaining powerful spyware capabilities. The malware, developed in Python and Go, supports a range of espionage commands:

ESET explained, "Both the full and Lite versions make use of an array of tools programmed in Python and Go, which include capabilities for extensive collection of data, and spying through recording of audio and videos."

They promptly notified IPany, leading to the removal of the compromised installer from its website. However, previously infected users must clean their systems to eliminate the malware. 

Notably, the download page lacked geo-fencing, leaving users across the globe potentially vulnerable.The complete list of the indicators of compromise (IoCs) associated with this campaign can be found here