ASEC observed attacks against South Korean defense and manufacturing organizations involving Xctdoor malware and activity assessed as similar to earlier Andariel use of compromised ERP update mechanisms. In the 2024 cases, attackers appear to have abused a domestic ERP update server or vulnerable web servers to deploy XcLoader and Xctdoor, echoing a 2017 Andariel pattern that inserted malicious routines into ClientUpdater.exe to deliver HotCroissant. Xctdoor is described as a Go-based DLL backdoor launched through Regsvr32.exe, copied into an Edge-related local path, persisted with a MicrosoftEdge.lnk shortcut, and injected into processes such as explorer.exe or taskhost variants. Its capabilities include sending host and user information to HTTP C2, executing attacker commands, capturing screenshots, keylogging, logging clipboard data, and collecting drive information, with packet encryption using mt19937 and Base64. The excerpt also notes web-server compromise, probable webshell command execution, and Ngrok logs, making the activity important for tracking DPRK-linked enterprise intrusion and internal propagation tradecraft.