AhnLab warned that vulnerable versions of YettieSoft VestCert, a Korean Non-ActiveX public certificate module, exposed users to remote code execution because the resident service can restart the process and keep it available for exploitation. AhnLab observed exploitation through its ASD infrastructure, where attackers used the vulnerability to download and execute malware named winsync.dll. The malware closely resembled the previously reported SCSKAppLink.dll, including abuse of Notepad++ plug-in open source code and the same string-decryption routine, and AhnLab urged operators and users to update or reinstall fixed VestCert versions.