Newly Discovered Chinese Threat Group Targets South Korean VPN Developer

A newly discovered Chinese threat group, dubbed PlushDaemon by researchers at ESET Research, has targeted a South Korean VPN developer with a supply chain attack aimed at deploying a custom backdoor to collect data for cyber-espionage purposes.

PlushDaemon’s Typical Malicious Operations

The group typically aims to hijack legitimate updates of Chinese applications in its malicious operations, "by redirecting traffic to attacker-controlled servers," according to a blog post by ESET researcher Facundo Muñoz published on Jan. 22. Additionally, the group has been observed gaining access via vulnerabilities in legitimate web servers, he wrote.

The Threat to Organizations

However, with a new, sophisticated actor like PlushDaemon now emerging from the shadows, organizations need to be more vigilant than ever against malicious cyber activity from China, Muñoz said. "The numerous components in the PlushDaemon toolset and its rich version history show that, while previously unknown, this China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to watch for," he wrote.

Indicators of Compromise and Samples Available

To help organizations stay informed about the threat, ESET included a link to its GitHub repository that contains a comprehensive list of indicators of compromise (IoCs) and samples of PlushDaemon activity. This repository provides a valuable resource for organizations to monitor and detect potential threats.

The Need for Vigilance

The emergence of PlushDaemon highlights the importance of staying vigilant against malicious cyber activity from China. As Muñoz noted, organizations must be prepared to face new and sophisticated threats, and it is essential to have the necessary tools and resources to detect and respond to these threats effectively.