A newly discovered China-aligned APT group called PlushDaemon has been found conducting cyber espionage using a supply chain attack. The group is targeting a South Korean VPN provider and replacing legitimate software installers with malicious ones that deploy the SlowStepper malware. This malware has a large toolkit, programmed in C++, Python and Go, which can conduct espionage. The initial access vector is by hijacking legitimate software updates.