AhnLab ASEC found malware distributed through a Korean community download board as a trojanized utility rather than a document lure. The attacker modified a legitimate utility executable by adding an executable .ireloc section with shellcode and changing execution flow so the normal program still ran while a malicious thread executed. The shellcode contacted C2 infrastructure, downloaded and decoded a payload, saved it as acview.dll in the temporary directory, and launched it with regsvr32. ASEC notes that the command pattern overlaps earlier Korean HWP vulnerability and Excel macro malware cases, and lists representative indicators including trebat[.]co and byliny[.]bionebe[.]cz URLs.