{
	"id": "c21754a6-f2a8-4749-a126-b11cddf3e0ce",
	"created_at": "2026-04-06T00:19:07.197459Z",
	"updated_at": "2026-04-10T13:12:30.322904Z",
	"deleted_at": null,
	"sha1_hash": "f7375857d8f83da003dfb0c89c351886a8ff453d",
	"title": "PlushDaemon compromises supply chain of Korean VPN service",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1003606,
	"plain_text": "PlushDaemon compromises supply chain of Korean VPN service\r\nBy Facundo Muñoz\r\nArchived: 2026-04-02 11:50:18 UTC\r\nESET researchers provide details on a previously undisclosed China-aligned APT group that we track as PlushDaemon and\r\none of its cyberespionage operations: the supply-chain compromise in 2023 of VPN software developed by a South Korean\r\ncompany, where the attackers replaced the legitimate installer with one that also deployed the group’s signature implant that\r\nwe have named SlowStepper – a feature-rich backdoor with a toolkit of more than 30 components.\r\nKey points of this blogpost:\r\nPlushDaemon is a China-aligned threat group, engaged in cyberespionage operations.\r\nPlushDaemon’s main initial access vector is hijacking legitimate updates of Chinese applications, but we\r\nhave also uncovered a supply-chain attack against a South Korean VPN developer.\r\nWe believe PlushDaemon is the exclusive user of several implants, including SlowStepper for Windows.\r\nSlowStepper has a large toolkit composed of around 30 modules, programmed in C++, Python, and Go.\r\nOverview\r\nIn May 2024, we noticed detections of malicious code in an NSIS installer for Windows that users from South Korea had\r\ndownloaded from the website of the legitimate VPN software IPany (https://ipany.kr/; see Figure 1), which is developed by a\r\nSouth Korean company. Upon further analysis, we discovered that the installer was deploying both the legitimate software\r\nand the backdoor that we’ve named SlowStepper. We contacted the VPN software developer to inform them of the\r\ncompromise, and the malicious installer was removed from their website.\r\nWe attribute this operation to PlushDaemon – a China-aligned threat actor active since at least 2019, engaging in espionage\r\noperations against individuals and entities in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand.\r\nPlushDaemon uses a custom backdoor that we track as SlowStepper, and its main initial access technique is to hijack\r\nlegitimate updates by redirecting traffic to attacker-controlled servers. Additionally, we have observed the group gaining\r\naccess via vulnerabilities in legitimate web servers.\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/\r\nPage 1 of 17\n\nFigure 1. Page at IPany website from which the malicious installer could be downloaded\r\nThe victims appear to have manually downloaded a ZIP archive containing a malicious NSIS installer from the URL\r\nhttps://ipany[.]kr/download/IPanyVPNsetup.zip. We found no suspicious code on the download page (shown in Figure 1) to\r\nproduce targeted downloads, for example by geofencing to specific targeted regions or IP ranges; therefore, we believe that\r\nanyone using the IPany VPN might have been a valid target.\r\nVia ESET telemetry, we found that several users attempted to install the trojanized software in the network of a\r\nsemiconductor company and an unidentified software development company in South Korea. The two oldest cases\r\nregistered in our telemetry were a victim from Japan in November 2023, and a victim from China in December 2023.\r\nTechnical analysis\r\nAs illustrated in Figure 2, when the malicious IPanyVPNsetup.exe installer is executed, it creates several directories and\r\ndeploys both legitimate and malicious files.\r\nFigure 2. Deployment of both legitimate and malicious files\r\nAdditionally, the installer establishes persistence for SlowStepper by adding an entry named IPanyVPN to a Run key, with\r\nthe value %PUBLIC%\\Documents\\WPSDocuments\\WPSManager\\svcghost.exe, so that the malicious component\r\nsvcghost.exe (later extracted and deployed by the loader in EncMgr.pkg) is launched when the operating system starts.\r\nThe first malicious component that is loaded by the installer is the AutoMsg.dll loader. Figure 3 illustrates the major steps\r\ntaken during the execution of this component.\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/\r\nPage 2 of 17\n\nFigure 3. Loading chain initiated when IPanyVPNSetup.exe loads AutoMsg.dll\r\nWhen IPanyVPNSetup.exe calls ExitProcess, the patched bytes redirect execution to the shellcode that loads EncMgr.pkg\r\ninto memory and executes it.\r\nEncMgr.pkg creates two directories – WPSDocuments and WPSManager – in %PUBLIC%\\Documents and the deployment\r\nbegins by extracting components from the custom archives NetNative.pkg and FeatureFlag.pkg. The components are\r\ndropped to disk and moved to other locations with new filenames. The sequence and actions taken are as follows:\r\n1. Extracts the files from NetNative.pkg to:\r\na. %PUBLIC%\\Documents\\WPSDocuments\\WPSManager\\assist.dll,\r\nb. %PUBLIC%\\Documents\\WPSDocuments\\WPSManager\\msvcr100.dll,\r\nc. %PUBLIC%\\Documents\\WPSDocuments\\WPSManager\\PerfWatson.exe, and\r\nd. %PUBLIC%\\Documents\\WPSDocuments\\WPSManager\\svcghost.exe.\r\n2. Deletes NetNative.pkg.\r\n3. Moves FeatureFlag.pkg to C:\\ProgramData\\Microsoft Shared\\Filters\\SystemInfo\\winlogin.gif.\r\n4. Moves assist.dll to C:\\ProgramData\\Microsoft Shared\\Filters\\SystemInfo\\Winse.gif.\r\n5. Extracts file from Winse.gif to %PUBLIC%\\Documents\\WPSDocuments\\WPSManager\\lregdll.dll.\r\n6. Copies data from BootstrapCache.pkg to %PUBLIC%\\Documents\\WPSDocuments\\WPSManager\\Qmea.dat.\r\nIts last actions are to execute svcghost.exe using the ShellExecute API and then exit.\r\nThe svcghost.exe component performs monitoring of the PerfWatson.exe process, where the backdoor is loaded, ensuring\r\nthat it is always running. If the processes are not running, it executes PerfWatson.exe (originally a legitimate command line\r\nutility named regcap.exe, included in Visual Studio), which the attackers abuse to side-load lregdll.dll. The DLL’s goal is to\r\nload the SlowStepper backdoor from the winlogin.gif file.\r\nOn a new thread, it creates a nameless window that ignores all messages except WM_CLOSE,\r\nWM_QUERYENDSESSION, and WM_ENDSESSION. When any of these three messages is received, the thread attempts\r\nto establish persistence in the Windows registry, depending on the permissions of the current process; see Table 1.\r\nTable 1. Registry keys targeted for persistence\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/\r\nPage 3 of 17\n\nRequires Registry key Entry Value\r\nAdministrator\r\nHKLM\\Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Winlogon\r\nUserinit\r\nCurrent path of\r\nsvcghost.exe.\r\nUser\r\nHKCU\\Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Windows\r\nload\r\nThe SlowStepper backdoor\r\nSlowStepper is a backdoor developed in C++ with extensive use of object-oriented programming in the C\u0026C\r\ncommunications code. Although the code contains hundreds of functions, the particular variant used in the supply-chain\r\ncompromise of the IPany VPN software appears to be version 0.2.10 Lite, according to the backdoor’s code. The so-called\r\n“Lite” version indeed contains fewer features than other previous and newer versions.\r\nThe oldest version of the SlowStepper backdoor that we know of is 0.1.7, compiled on 2019-01-31 according to its PE\r\ntimestamps; the newest one is 0.2.12, compiled on 2024-06-13, and is the full version of the backdoor.\r\nBoth the full and Lite versions make use of an array of tools programmed in Python and Go, which include capabilities for\r\nextensive collection of data, and spying through recording of audio and videos. The tools were stored in a remote code\r\nrepository hosted on the Chinese platform GitCode, under the LetMeGo22 account; at the time of writing, the profile was\r\nprivate (Figure 4).\r\nFigure 4. LetMeGo22 account at GitCode\r\nC\u0026C communications\r\nSlowStepper does not carry the C\u0026C IP address in its configuration; instead, it crafts a DNS query to obtain a TXT record\r\nfor the domain 7051.gsm.360safe[.]company. The query is sent to one of three legitimate, public DNS servers:\r\n8.8.8.8 – Google Public DNS,\r\n114.114.114.114 – 114dns.com, or\r\n223.5.5.5 – Alibaba Public DNS.\r\nWe obtained four such records associated with that domain:\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/\r\nPage 4 of 17\n\n\u0026%QT%#/zZDmb4ATTVIxwHXPLGrj0FAOV7q+P/sMG109ooj5YLnVZBs3R/eZcuQximtgLkf\r\n\u0026%QT%#/zZDmb4ATTVIxwHXPLGrj0FAOV7q+P/sMG109ooj5YKQs3XiHSjM3f+h9ok9XfQ1AjoX+C4UXZsDLVqCDhvx\r\n\u0026%QT%#aT1sAjOFTcwzQ7hwc0iyfygP/ooo8pkIRyaNKWcqBz+QRGYBV/2v8HrVg28+aZXhfXvgDxS1vXAuhdcN2dEKxw\r\n\u0026%QT%#aT1sAjOFTcwzQ7hwc0iyfySJBEDM0z6na7BiogG0hDJqdKlUqkrb9ppOjg8epeQ6I6cUXWLKyZGZCkJwFyKD4Q\r\nThe format of the data in the query is shown in Figure 5. The code checks whether the first six bytes of the TXT record\r\nmatch \u0026%QT%# and if so, it extracts the rest of the string, which is a base64-encoded AES-encrypted blob containing an\r\narray of 10 IP addresses to be used as C\u0026C servers. The key used for decryption is sQi9\u0026*2Uhy3Fg7se and the IV is\r\nQhsy\u00267y@bsG9st#g.\r\nFigure 5. DNS TXT record obtained of malicious domains\r\nWhen parsing the decrypted data, the code can extract at least four data identifiers, described in Table 2.\r\nTable 2. Data types processed by the backdoor’s code\r\nData\r\nidentifier\r\nSize of data Description\r\n0x04 4 Data is an IP address.\r\n0x05 6 Data is an IP address and port number.\r\n0x06 16\r\nSkips the next 16 bytes of data. We suspect that, given the size of\r\nthe data, it’s possible that it is an IPv6 address.\r\n0x00–0x03\r\n0x07–0xFF\r\nData identifier value is the\r\nvalue of the data size.\r\nSkips the next (unknown) bytes of data.\r\nOne of the IP addresses is chosen and SlowStepper connects to the C\u0026C server via TCP to begin its communication\r\nprotocol. If, after a number of attempts, it fails to establish a connection to the server, it uses the gethostbyname API on the\r\ndomain st.360safe[.]company to obtain the IP address mapped to that domain and uses the obtained IP as its fallback C\u0026C\r\nserver.\r\nOnce communication is established, SlowStepper can process the commands listed in Table 3.\r\nTable 3. Basic commands supported by SlowStepper\r\nCommand\r\nID\r\nAction performed\r\n0x32 Collects the following information from the compromised machine and sends it to the server:\r\n· brand of the CPU, using the CPUID instruction,\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/\r\nPage 5 of 17\n\nCommand\r\nID\r\nAction performed\r\n· HDDs connected to the computer and their serial numbers,\r\n· computer name,\r\n· local host name,\r\n· public IP address, by querying multiple services,\r\n· list of running processes,\r\n· list of installed applications,\r\n· network interface information,\r\n· additional information about the computer’s drives, such as volume name and free space,\r\n· system memory,\r\n· current username,\r\n· persistence type used,\r\n· whether cameras are connected,\r\n· whether microphones are connected,\r\n· whether the operating system is running as a virtual machine,\r\n· system uptime,\r\n· HTTP proxy configuration, and\r\n· whether queries to the DNS server at 114.114.114.114:53 to resolve the addresses of two legitimate\r\ndomains, cf.duba.net (Kingston) and f.360.cn (360 Qihoo), failed or succeeded. It is unclear to us what\r\nthe purpose of this information is.\r\n0x38\r\nExecutes a Python module from its toolkit; the output and any files created by the module are sent to the\r\nserver. The procedure is very similar to what is used in the shell mode.\r\n0x39 Deletes the specified file.\r\n0x3A\r\nThis command can process other commands sent by the operator in SlowStepper’s shell mode, which\r\nwe explain in more detail below. Alternatively, it can also:\r\n· Run a command via cmd.exe and send the output back to the server.\r\n· Run a command via cmd.exe without sending the output to the server.\r\n0x3C Uninstalls SlowStepper by removing its persistence mechanism and removing its files.\r\n0x3F Lists files in the specified directory, and lists drives.\r\n0x5A Downloads and executes the specified file.\r\nSlowStepper has a rather unusual feature: the developers implemented a custom shell, or command line interface, on top of\r\nits communication protocol. While the backdoor accepts and handles commands in the traditional way, the 0x3A command\r\nactivates the interpretation of operator-written commands (Table 4).\r\nTable 4. Commands supported in shell mode\r\nCommand Parameters Description\r\ncd Path to a directory. Checks whether a directory exists.\r\ngcall\r\nModule name and other\r\nunknown parameter(s).\r\nThis function can perform two tasks:\r\n· Download a module from the remote code repository and execute it. The\r\nmodule is supposed to be a console application.\r\n· Send a file from the compromised machine to the operator.\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/\r\nPage 6 of 17\n\nCommand Parameters Description\r\npycall\r\nTool name to be\r\nexecuted.\r\nThis command is explained in detail in the Execution of tools via\r\nSlowStepper’s pycall shell command section.\r\nrestart self\r\nRestarts SlowStepper by rerunning the host process and calling the\r\nExitProcess API.\r\nReturns the message The mode of NSP doesn't support restart self. when\r\nSlowStepper is running in a process via a persistence technique that abuses\r\nWinsock namespace providers; however, it is not included in this variant of\r\nSlowStepper.\r\nupdate N/A\r\nDownloads a module from the remote code repository, replacing a previous\r\nexisting version.\r\ngconfig\r\nshow Displays the value of ServerIP (the C\u0026C IP address).\r\nset\r\nChanges the value of ServerIP.\r\nThe console suggests the following to the operator:\r\nIf you want make the Configuration effective immediately, please\r\ncommand “gconfig reload”.\r\nreload Reloads the configuration.\r\ngetname Returns the name of the current process in which SlowStepper is running.\r\ngetdll Returns the name of the SlowStepper DLL in the current process.\r\ngetpid\r\nReturns the process ID of the current process in which SlowStepper is\r\nrunning.\r\ngetsid\r\nReturns the Remote Desktop Services session ID of the current process.\r\nThis suggests that SlowStepper might also be intended to compromise\r\nmachines running Windows Server.\r\ngetpwd\r\nDownloads getcode.mod from the remote code repository and executes it\r\nusing rundll32.exe. The module generates a file, named psf.bin, that\r\ncontains the collected data.\r\ngcmd\r\nquery\r\nCreates a complete report of information about the specified file or\r\ndirectory.\r\ndelete Deletes the specified file, directory, or all files in a directory.\r\nset Sets configuration parameters.\r\nterminate Terminates the specified process.\r\ncancel Creates a file with the .delete extension.\r\nExecution of tools via SlowStepper’s pycall shell command\r\nFigure 6 illustrates the execution chain, starting when the operator issues a pycall command to request the execution of a\r\nPython module on the compromised machine; here, as an example, the module CollectInfo.\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/\r\nPage 7 of 17\n\nFigure 6. Execution flow of the pycall command\r\nFrom the remote repository, the pycall command downloads a ZIP archive that contains the Python interpreter and its\r\nsupporting libraries. One of three possible customized distributions is downloaded, as outlined in Table 5.\r\nTable 5. List of customized Python distributions and the conditions under which they are downloaded\r\nCondition Archive name Description\r\nWindows operating system is XP. winxppy.org Python 3.4\r\nAll required Windows API set (stub) DLLs\r\nand the Microsoft C runtime are present.\r\nwinpy_no_rundll.org Python 3.7\r\nNeither of the preceding conditions are met. win7py.org\r\nPython 3.7; includes Windows API set (stub)\r\nDLLs and the Microsoft C runtime library.\r\nFigure 7 shows the directory structure of the decompressed archive containing the Python distribution, listing only the\r\nmalicious files that are included within.\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/\r\nPage 8 of 17\n\nFigure 7. Directory structure of the customized Python distribution and malicious files\r\nSlowStepper runs the Python interpreter using the following command line:\r\n%PUBLIC%\\Documents\\WPSDocuments\\WPSManager\\Python\\Pythonw.exe -m runas \u003cmodule_name\u003e\r\nThe module named runas is a custom Python script (Figure 8) that loads another custom Python module named help from\r\nwhich it uses the function named run to decrypt the module and execute it.\r\nFigure 8. Code of runas.py\r\nTable 6 lists the modules that we recovered from the remote repository during the time it was available.\r\nTable 6. List of Python modules and their purpose\r\nFilename on disk Original module name Purpose\r\n900150983cd24fb0\r\nd6963f7d28e17f72\r\nabc Test module that prints hello world.\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/\r\nPage 9 of 17\n\nFilename on disk Original module name Purpose\r\nef15fd2f45e6bb5c\r\ne57587895ba64f93\r\nBrowser\r\nCollects a wide range of data from web browsers: Google\r\nChrome, Microsoft Edge, Opera, Brave, Vivaldi, Cốc Cốc\r\nbrowser, UC Browser, 360 Browser, and Mozilla Firefox.\r\n967d35e40f3f95b1\r\nf538bd248640bf3b\r\nCamera If the computer has a camera connected, it takes photos.\r\na7ba857c30749bf4\r\nad76c93de945f41b\r\nCollectInfo\r\nScans the disk for files with extensions .txt, .doc, .docx, .xls,\r\n.xlsx, .ppt, and .pptx.\r\nCollects information from several software titles, including:\r\nLetsVPN, Tencent QQ, WeChat, Kingsoft WPS, e2eSoft\r\nVCam, KuGou, Oray Sunlogin, and ToDesk.\r\n6002396e8a3e3aa7\r\n96237f6469eb84f8\r\nDecode\r\nDownloads a module from the remote repository and decrypts\r\nit.\r\n9348a97af6e8a2f4\r\n82d5dbee402c8c6f\r\nDingTalk\r\nCollects a wide range of data from DingTalk (a corporate\r\nmanagement tool developed in China), including chat\r\nmessages, audio, video, contact information, and groups the\r\nuser has joined.\r\n801ab24683a4a8c4\r\n33c6eb40c48bcd9d\r\nDownload Downloads (non-malicious) Python packages.\r\n16654b501ac48e46\r\n75c9eb0cf2b018f6\r\nFileScanner\r\nScans the disk for files, using the same code as CollectInfo.\r\n7d3b40764db47a45\r\ne9bc3f1169a47fe2\r\nFileScannerAllDisk\r\n3582f6ebaf9b6129\r\n40011f98b110b315\r\ngetOperaCookie Gets cookies from the Opera browser.\r\n10ae9fc7d453b0dd\r\n525d0edf2ede7961\r\nlist Lists modules with a .py extension.\r\nce5bf551379459c1\r\nc61d2a204061c455\r\nLocation\r\nObtains the IP address of the computer and the GPS\r\ncoordinates, using online services.\r\n68e36962b09c99d6\r\n675d6267e81909ad\r\nLocation1\r\n5e0a529f8acc19b4\r\n2e45d97423df2eb4\r\nLocationByIP\r\nc84fcb037b480bd2\r\n5ff9aaaebce5367e\r\nPackDir Creates a ZIP archive of the specified file.\r\n4518dc0ae0ff517b\r\n428cda94280019fa\r\nqpass\r\nThis script appears to be unfinished.\r\nIt obtains and decrypts passwords from Tencent QQ Browser.\r\nProbably replaced by the qqpass module.\r\n5fbf04644f45bb2b\r\ne1afffe43f5fbb57\r\nqqpass\r\nObtains and decrypts passwords from Google Chrome, Mozilla\r\nFirefox, Tencent QQ Browser, 360 Chrome, and UC Browser.\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/\r\nPage 10 of 17\n\nFilename on disk Original module name Purpose\r\n874f5aaef6ec4af8\r\n3c250ccc212d33dd\r\nScreenRecord\r\nRecords the screen, saving the result as an AVI file inside a ZIP\r\narchive.\r\nc915683f3ec888b8\r\nedcc7b06bd1428ec\r\nTelegram\r\nCollects account information from the Telegram desktop\r\napplication.\r\n104be797a980bcbd\r\n1fa97eeacfd7f161\r\nWebpass Similar to the qqpass module.\r\ne5b152ed6b4609e9\r\n4678665e9a972cbc\r\nWeChat\r\nOne of the largest modules, it collects a wide range of data\r\nfrom WeChat.\r\n6d07a4ebf4dff8e5\r\nd4fdb61f1844cc12\r\nWechat_all_file\r\nCollects data from WeChat.\r\n17cf4a6dd339a131\r\n2959fd344fe92308\r\nWechat_src\r\n8326cef49f458c94\r\n817a853674422379\r\nWechat1\r\nSimilar to WeChat.\r\n427f01be70f46f02\r\nef0d18fcbbfaf01d\r\nWechatFile\r\n72704d83b916fa1f\r\n7004e0fdef4b77ae\r\nWirelessKey\r\nCollects wireless network information and passwords, and\r\noutput from the ipconfig /all command.\r\nIn addition to the Python toolkit, we found, stored in the remote code repository other tools (Table 7) that are not encrypted;\r\nsome of these were programmed in C/C++ and others in Go, as noted below.\r\nTable 7. Tools and their function\r\nTool filename Description\r\nagent.mod Reverse proxy programmed in Go.\r\ngetcode.mod\r\ngetcode64.mod\r\nMimikatz. This tool is a DLL downloaded by the getpwd command.\r\nInitPython.mod\r\nOld downloader to install the customized Python distribution on the compromised machine. This tool\r\nis a DLL.\r\nRemote.mod\r\nRealVNC server that allows the attackers to remotely control the compromised machine. This tool is\r\na DLL.\r\nsoc.mod\r\nReverse proxy programmed in Go.\r\nSigned with a certificate from a Chinese company called Hangzhou Fuyang Qisheng Information\r\nTechnology Service Department. We were unable to find any information about the company.\r\nstoll.mod\r\nTool used to perform downloads, written in Go.\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/\r\nPage 11 of 17\n\nTool filename Description\r\nSigned with a certificate from the Chinese company Zhoushan Xiaowen Software Development\r\nStudio. We were unable to find any information about the company.\r\nConclusion\r\nIn this blogpost, we have analyzed a supply-chain attack against a Korean VPN provider, targeting users in East Asia, as\r\nevident through the specific software targeted for information collection and confirmed via ESET telemetry. We also\r\ndocumented the SlowStepper backdoor, used exclusively by PlushDaemon. This backdoor is notable for its multistage C\u0026C\r\nprotocol using DNS, and its ability to download and execute dozens of additional Python modules with espionage\r\ncapabilities.\r\nThe numerous components in the PlushDaemon toolset, and its rich version history, show that, while previously unknown,\r\nthis China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to\r\nwatch for.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of indicators of compromise and samples can be found in our GitHub repository.\r\nFiles\r\nSHA-1 Filename Detection Description\r\nA8AE42884A8EDFA17E9D\r\n67AE5BEBE7D196C3A7BF\r\nAutoMsg.dll Win32/ShellcodeRunner.GZ Initial loader DLL.\r\n2DB60F0ADEF14F4AB357\r\n3F8309E6FB135F67ED7D\r\nlregdll.dll Win32/Agent.AGUU\r\nLoader DLL for the\r\nSlowStepper backdoor.\r\n846C025F696DA1F6808B\r\n9101757C005109F3CF3D\r\nOldLJM.dll Win32/Agent.AGXL\r\nInstaller DLL, internally\r\nnamed OldLJM.dll. It is\r\nextracted from EncMgr.pkg\r\nand executed in memory.\r\nAD4F0428FC9290791D55\r\n0EEDDF171AFF046C4C2C\r\nsvcghost.exe Win32/Agent.AGUU\r\nProcess monitor component\r\nthat launches PerfWatson.exe\r\nor RuntimeSvc.exe to side-load lregdll.dll.\r\n401571851A7CF71783A4\r\nCB902DB81084F0A97F85\r\nmain.dll Win32/Agent.AEIJ\r\nDecrypted SlowStepper\r\nbackdoor component.\r\n068FD2D209C0BBB0C6FC\r\n14E88D63F92441163233\r\nIPanyVPNsetup\r\n.exe\r\nWin32/ShellcodeRunner.GZ\r\nMalicious IPany installer.\r\nContains the SlowStepper\r\nimplant and the legitimate\r\nIPany VPN software.\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/\r\nPage 12 of 17\n\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n202.189.8[.]72 reverse.wcsset[.]com\r\nShandong eshinton\r\nNetwork Technology Co.,\r\nLtd.\r\n2024‑10‑14\r\nServer used by the (reverse\r\nproxy) soc.mod tool.\r\n47.96.17[.]237 agt.wcsset[.]com\r\nHangzhou Alibaba\r\nAdvertising Co.,Ltd.\r\n2024‑10‑14\r\nServer used by agent.mod\r\ntool.\r\nN/A\r\n7051.gsm.360safe\r\n[.]company\r\nN/A 2020‑09‑29\r\nSlowStepper queries this\r\ndomain to obtain its\r\nassociated DNS TXT record.\r\n202.105.1[.]187\r\nst.360safe\r\n[.]company\r\nIRT-CHINANET-CN 2021‑03‑11\r\nFallback C\u0026C server\r\ncontacted by SlowStepper.\r\n47.74.159[.]166 N/A\r\nAlibaba (US) Technology\r\nCo., Ltd.\r\n2020‑09‑29 SlowStepper C\u0026C server.\r\n8.130.87[.]195 N/A\r\nHangzhou Alibaba\r\nAdvertising Co.,Ltd.\r\n2020‑09‑29 SlowStepper C\u0026C server.\r\n47.108.162[.]218 N/A\r\nHangzhou Alibaba\r\nAdvertising Co.,Ltd.\r\n2020‑09‑29 SlowStepper C\u0026C server.\r\n47.113.200[.]18 N/A\r\nHangzhou Alibaba\r\nAdvertising Co.,Ltd.\r\n2020‑09‑29 SlowStepper C\u0026C server.\r\n47.104.138[.]190 N/A Guowei Pan 2020‑09‑29 SlowStepper C\u0026C server.\r\n120.24.193[.]58 N/A\r\nHangzhou Alibaba\r\nAdvertising Co.,Ltd.\r\n2020‑09‑29 SlowStepper C\u0026C server.\r\n202.189.8[.]87 N/A\r\nShandong eshinton\r\nNetwork Technology Co.,\r\nLtd.\r\n2020‑09‑29 SlowStepper C\u0026C server.\r\n202.189.8[.]69 N/A\r\nShandong eshinton\r\nNetwork Technology Co.,\r\nLtd.\r\n2020‑09‑29 SlowStepper C\u0026C server.\r\n202.189.8[.]193 N/A\r\nShandong eshinton\r\nNetwork Technology Co.,\r\nLtd.\r\n2020‑09‑29 SlowStepper C\u0026C server.\r\n47.92.6[.]64 N/A\r\nHangzhou Alibaba\r\nAdvertising Co.,Ltd.\r\n2020‑09‑29 SlowStepper C\u0026C server.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 16 of the MITRE ATT\u0026CK framework.\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/\r\nPage 13 of 17\n\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.001\r\nAcquire Infrastructure:\r\nDomains\r\nPlushDaemon has acquired domain names for its C\u0026C\r\ninfrastructure.\r\nT1583.004\r\nAcquire Infrastructure:\r\nServer\r\nPlushDaemon has acquired servers to be used as C\u0026C\r\nservers.\r\nT1608.001\r\nStage Capabilities:\r\nUpload Malware\r\nPlushDaemon has staged its toolkit in the code repository\r\nwebsite GitCode.\r\nT1608.002\r\nStage Capabilities:\r\nUpload Tool\r\nPlushDaemon has staged its toolkit in the code repository\r\nwebsite GitCode.\r\nT1588.001\r\nObtain Capabilities:\r\nMalware\r\nPlushDaemon has access to SlowStepper.\r\nT1588.002\r\nObtain Capabilities:\r\nTool\r\nPlushDaemon tools getcode.mod and getcode64.mod use\r\nMimikatz.\r\nT1588.003\r\nObtain Capabilities:\r\nCode Signing\r\nCertificates\r\nPlushDaemon tools soc.mod and stoll.mod are signed.\r\nT1588.005\r\nObtain Capabilities:\r\nExploits\r\nPlushDaemon has used an unidentified exploit for Apache\r\nHTTP server.\r\nInitial Access\r\nT1659 Content Injection\r\nPlushDaemon can intercept network traffic to hijack\r\nupdate protocols and deliver its SlowStepper implant.\r\nT1190\r\nExploit Public-Facing\r\nApplication\r\nPlushDaemon exploited an unidentified vulnerability in\r\nApache HTTP Server.\r\nT1195.002\r\nSupply Chain\r\nCompromise:\r\nCompromise Software\r\nSupply Chain\r\nPlushDaemon has compromised the supply chain of a VPN\r\ndeveloper and replaced the original installer with a\r\ntrojanized one containing the SlowStepper implant.\r\nExecution\r\nT1059.003\r\nCommand-Line\r\nInterface: Windows\r\nCommand Shell\r\nSlowStepper uses cmd.exe to execute commands on a\r\ncompromised machine.\r\nT1059.006\r\nCommand-Line\r\nInterface: Python\r\nSlowStepper for Windows can use the Python console to\r\nexecute the Python components of its toolkit.\r\nPersistence\r\nT1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry\r\nRun Keys / Startup\r\nFolder\r\nThe SlowStepper installer establishes persistence by\r\nadding an entry in\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\\r\nCurrentVersion\\Run.\r\nT1547.004\r\nBoot or Logon Autostart\r\nExecution: Winlogon\r\nHelper DLL\r\nThe SlowStepper process monitor component can establish\r\npersistence by adding an entry in\r\nHKLM\\Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Winlogon\\Userinit or\r\nHKCU\\Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Winlogon\\load.\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/\r\nPage 14 of 17\n\nTactic ID Name Description\r\nT1574.002\r\nHijack Execution Flow:\r\nDLL Side-Loading\r\nPlushDaemon has abused a legitimate command line utility\r\nincluded in Visual Studio called regcap.exe to side-load a\r\nmalicious DLL named lregdll.dll.\r\nDefense\r\nEvasion\r\nT1222.001\r\nFile Permissions\r\nModification: Windows\r\nFile and Directory\r\nPermissions\r\nModification\r\nSlowStepper modifies the access rights of the directory\r\nwhere its components are stored on disk.\r\nT1070.004\r\nIndicator Removal: File\r\nDeletion\r\nSlowStepper can remove its own files.\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\nSlowStepper uses folder names and filenames from\r\nlegitimate software.\r\nT1112 Modify Registry SlowStepper can modify the registry.\r\nT1027.007\r\nObfuscated Files or\r\nInformation: Dynamic\r\nAPI Resolution\r\nSlowStepper dynamically resolves Windows API\r\nfunctions.\r\nT1027.009\r\nObfuscated Files or\r\nInformation: Embedded\r\nPayloads\r\nSlowStepper loader DLLs contain embedded, position-independent code, executed in memory, to load\r\ncomponents.\r\nT1027.013\r\nObfuscated Files or\r\nInformation:\r\nEncrypted/Encoded File\r\nSlowStepper components are stored encrypted on disk.\r\nT1553.002\r\nSubvert Trust Controls:\r\nCode Signing\r\nPlushDaemon tools soc.mod and stoll.mod are signed.\r\nDiscovery\r\nT1217\r\nBrowser Bookmark\r\nDiscovery\r\nSlowStepper’s Browser tool collects information from\r\nbrowsers.\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nSlowStepper and its tools can search for files with specific\r\nextensions, or enumerate files in directories.\r\nT1120\r\nPeripheral Device\r\nDiscovery\r\nSlowStepper and its toolkit can discover devices connected\r\nto the compromised machine.\r\nT1057 Process Discovery SlowStepper can create a list of running processes.\r\nT1012 Query Registry SlowStepper can query the registry.\r\nT1518 Software Discovery\r\nSlowStepper can create a list of software installed on the\r\ncompromised machine.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nSlowStepper can collect system information.\r\nT1614 System Location\r\nDiscovery\r\nSlowStepper’s Location tool attempts to discover the\r\npossible geolocation of the compromised machine by\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/\r\nPage 15 of 17\n\nTactic ID Name Description\r\nquerying several online services.\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nSlowStepper collects information from the network\r\nadapters.\r\nT1016.002\r\nSystem Network\r\nConfiguration\r\nDiscovery: Wi-Fi\r\nDiscovery\r\nSlowStepper’s Wireless tool and its variants collects a wide\r\nrange of information from the Wi-Fi network.\r\nT1033\r\nSystem Owner/User\r\nDiscovery\r\nSlowStepper obtains the username.\r\nCollection\r\nT1560.002\r\nArchive Collected Data:\r\nArchive via Library\r\nSlowStepper tools can compress the collected data in ZIP\r\narchives.\r\nT1123 Audio Capture\r\nSlowStepper can capture audio if the compromised\r\nmachine has a microphone.\r\nT1005 Data from Local System\r\nSlowStepper and its tools collect a wide range of data from\r\nthe compromised system.\r\nT1074.001\r\nData Staged: Local Data\r\nStaging\r\nSlowStepper and its tools stage data locally before\r\nexfiltrating it to the C\u0026C server.\r\nT1113 Screen Capture SlowStepper’s ScreenRecord tool can take screenshots.\r\nT1125 Video Capture\r\nSlowStepper’s Camera tool can record videos if the\r\ncompromised machine has a camera.\r\nCommand\r\nand Control\r\nT1071.004\r\nStandard Application\r\nLayer Protocol: DNS\r\nSlowStepper retrieves a DNS TXT record that contains an\r\nAES-encrypted list of C\u0026C servers.\r\nT1132.001\r\nData Encoding:\r\nStandard Encoding\r\nSlowStepper retrieves a DNS TXT record that contains an\r\nAES-encrypted list of C\u0026C servers. The record is base64\r\nencoded.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric\r\nCryptography\r\nSlowStepper’s communication protocol with its C\u0026C is\r\nencrypted with AES.\r\nT1008 Fallback Channels\r\nSlowStepper gets a fallback C\u0026C server IP address by\r\nresolving an alternative domain controlled by the attackers.\r\nT1105 Remote File Copy\r\nSlowStepper downloads additional tools from a remote\r\ncode repository at GitCode.\r\nT1104 Multi-Stage Channels\r\nSlowStepper obtains a list of C\u0026C servers by querying the\r\nDNS TXT record from a domain controlled by the\r\nattackers; if no communication can be established with the\r\nservers, it resolves the IP address of another domain\r\ncontrolled by the attackers to obtain a backup server.\r\nSlowStepper tools use different servers from PlushDaemon\r\ninfrastructure.\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/\r\nPage 16 of 17\n\nTactic ID Name Description\r\nT1095\r\nStandard Non-Application Layer\r\nProtocol\r\nSlowStepper communicates with its C\u0026C via TCP.\r\nT1090 Connection Proxy\r\nSlowStepper tools agent.mod and soc.mod are reverse\r\nproxies.\r\nT1219 Remote Access Tools\r\nSlowStepper tool Remote.mod allows its operator to\r\nremotely control the compromised machine via VNC.\r\nExfiltration\r\nT1020 Automated Exfiltration SlowStepper can exfiltrate staged data.\r\nT1041\r\nExfiltration Over C2\r\nChannel\r\nSlowStepper exfiltrates collected data when connected to\r\none of its C\u0026C servers.\r\nSource: https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/\r\nhttps://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/"
	],
	"report_names": [
		"plushdaemon-compromises-supply-chain-korean-vpn-service"
	],
	"threat_actors": [
		{
			"id": "4f7a1404-3aa3-4f27-bced-473c16a4b65c",
			"created_at": "2025-02-23T02:03:22.518463Z",
			"updated_at": "2026-04-10T02:00:04.855713Z",
			"deleted_at": null,
			"main_name": "PlushDaemon",
			"aliases": [],
			"source_name": "ETDA:PlushDaemon",
			"tools": [
				"SlowStepper"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a0c10b65-a8bb-473b-85b0-6bacc97ecbd8",
			"created_at": "2025-03-07T02:00:03.794198Z",
			"updated_at": "2026-04-10T02:00:03.819825Z",
			"deleted_at": null,
			"main_name": "PlushDaemon",
			"aliases": [],
			"source_name": "MISPGALAXY:PlushDaemon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434747,
	"ts_updated_at": 1775826750,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f7375857d8f83da003dfb0c89c351886a8ff453d.pdf",
		"text": "https://archive.orkl.eu/f7375857d8f83da003dfb0c89c351886a8ff453d.txt",
		"img": "https://archive.orkl.eu/f7375857d8f83da003dfb0c89c351886a8ff453d.jpg"
	}
}