China-linked hacker group targets victims in East Asia with malicious VPN installers

A previously unknown Chinese state-sponsored hacker group has been targeting users in East Asia in a new espionage campaign, researchers said Wednesday.

The threat actor, tracked as PlushDaemon, compromised a virtual private network (VPN) installer developed by the South Korean firm IPany to deploy custom malware on the victims' devices.

According to a report by Slovak-based cybersecurity firm ESET, the attackers replaced IPany’s legitimate installer with one that deployed a backdoor capable of extensive data collection and spying through recorded audio and video.

PlushDaemon reportedly compromised IPany in 2023, but researchers only uncovered the campaign last May when they detected malicious code in a Windows installer that users from South Korea had downloaded from IPany’s legitimate website.

ESET said it contacted the VPN developer to inform them of the compromise, and the malicious installer was removed from the website.

It is unclear how many victims the hackers were able to compromise, but researchers said that anyone using the IPany VPN could have been a valid target.

ESET found that several users attempted to install the infected software within the network of a semiconductor company and an unidentified software development company in South Korea. The company also detected victims in Japan and China.

Despite not having been identified before, PlushDaemon has been active since at least 2019, engaging in espionage operations against individuals and entities in China, Taiwan, Hong Kong, South Korea, the U.S., and New Zealand. The group’s main initial access technique, according to ESET, is hijacking legitimate updates of Chinese applications.

“The numerous components in the PlushDaemon toolset, and its rich version history, show that, while previously unknown, this China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to watch for,” ESET said.