Chinese Hackers Compromise VPN Website to Spread Malware: A recent cybersecurity threat has been uncovered by antivirus company ESET, revealing that Chinese hackers hijacked the website of IPany, a South Korean VPN provider, to spread malware to users in Asia.
Malware Infection and Removal
In May 2024, ESET’s antivirus software detected malware infections on Windows computers traced back to IPany’s website.
Further analysis revealed that the installer was deploying both the legitimate VPN software and a backdoor malware, dubbed Slow stepper.
Scope of the Attack
The compromised website did not contain any code to target specific users based on their geographic region or IP address. As a result, ESET warns that anyone using the IPany VPN might have been a potential target.
Attribution and Motivation
ESET attributed the attack to a Chinese hacking group known as PlushDemon, which has been active since 2019, conducting cyber espionage in China, Taiwan, South Korea, and the US.
The company’s telemetry data revealed that several users attempted to install the trojanized software in the networks of a semiconductor company and a software development company in South Korea.
Additional victims were identified in Japan and China, dating back to November and December 2023, respectively.
Mitigation and Prevention
To protect themselves from similar attacks, Users are advised to exercise caution when downloading software from the internet.
Ensure their antivirus software is up-to-date, and monitor their systems for suspicious activity.
The numerous components in the PlushDaemon toolset, and its rich version history, show that, while previously unknown, this China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to watch for,” ESET said.
