ESET researchers have uncovered a supply-chain attack against a South Korean VPN provider by a previously unknown China-aligned APT group named PlushDaemon. The attackers replaced the legitimate VPN installer with a malicious version that deployed their SlowStepper backdoor, a feature-rich implant with over 30 components. PlushDaemon has been active since at least 2019, targeting entities in China, Taiwan, Hong Kong, South Korea, the US, and New Zealand. The group's main initial access vector is hijacking legitimate updates of Chinese applications. SlowStepper uses a multi-stage C&C protocol involving DNS queries and has an extensive toolkit of Python and Go modules for data collection and espionage.