The Sejong Institute incident was a South Korea-focused watering-hole operation against reunification, diplomacy, and security stakeholders, using an ActiveX vulnerability in AcubeFileCtrl.ocx before version 2.3.0.4 to download and execute malware. The injected JavaScript collected browser and ActiveX installation details and sent them to attacker infrastructure, while the malware authenticated to C2, used RC4 with a fixed key, collected host details, and executed commands through cmd.exe.