Chinese Hackers Hijack VPN’s Website to Spread Malware

Chinese hackers hijacked a VPN provider’s website to spread malware to users in Asia, according to antivirus company ESET. 

In May 2024, ESET’s antivirus software flagged malware infections on Windows computers that were traced to the website of South Korean VPN company IPany.

“Upon further analysis, we discovered that the installer was deploying both the legitimate software and the backdoor that we’ve named SlowStepper,” ESET said in a Wednesday blog post. “We contacted the VPN software developer to inform them of the compromise, and the malicious installer was removed from their website.”

The page that hosted the downloads. (Credit: ESET)

It’s unclear how the hackers tampered with IPany’s website. The company didn’t immediately respond to a request for comment.

ESET warns that the compromised website contained no code to circulate the malicious installer to specific users based upon their geographic region or IP address. “Therefore, we believe that anyone using the IPany VPN might have been a valid target,” ESET says.

ESET traced the attack to a Chinese hacking group called PlushDemon, which has been around since 2019 conducting cyberespionage in China, Taiwan, South Korea, and the US. PlushDemon’s SlowStepper backdoor will secretly communicate with the hacker’s command and control server. The backdoor can carry out numerous instructions, including downloading and executing additional malware, collecting a computer’s specs, and deleting specific files. 

(Credit: ESET)

ESET adds that PlushDemon’s attack may have helped the group spy on high-value targets. “Via ESET telemetry, we found that several users attempted to install the trojanized software in the network of a semiconductor company and an unidentified software development company in South Korea,” the company says. “The two oldest cases registered in our telemetry were a victim from Japan in November 2023 and a victim from China in December 2023.”

The incident is also a supply chain attack, where a hacker compromises a widely used third-party software, giving it a way to infiltrate numerous users. In 2023, suspected North Korean hackers also pulled off a similar scheme by compromising the 3CX voice-calling app to circulate a malicious software version to unsuspecting users.

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links.
By clicking the button, you confirm you are 16+ and agree to our
Terms of Use and
Privacy Policy.
You may unsubscribe from the newsletters at any time.

About Michael Kan

Senior Reporter

I’ve been working as a journalist for over 15 years—I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017.

Read Michael’s full bio

Read the latest from Michael Kan