ASEC analyzed an information-stealing Windows malware campaign delivered through Korean phishing infrastructure and disguised as a NAVER-related archive. The phishing flow redirects users from a Kakao-themed credential theft page to NAVER.zip, which contains an executable named as a Naver security tool. When run, the malware creates an Outlooka directory under AppData, drops AWasctUI.exe to collect host information and rdpclipe.exe to log keystrokes, and persists both through Startup folder shortcuts. It stores keylogging, systeminfo, and drive-tree output locally, exfiltrates files containing "UP" to 66.94.98[.]48/ESOK/post2.php, and can fetch additional data from the same server while showing an OTPGenerator decoy window.