AhnLab ASEC reports that Andariel has continued attacks against South Korean companies by abusing domestic asset-management solutions to deploy malware. The campaign uses AndarLoader and ModeLoader, with this case adding MeshAgent as a newly observed remote-management tool in Andariel activity. The source describes ModeLoader launched through mshta, AndarLoader installed as SVPNClientW.exe, credential theft with Mimikatz, security log clearing through wevtutil, and keylogging plus clipboard logging to a public user path. Representative infrastructure includes AndarLoader domains such as privacy.hopto.org and privatemake.bounceme.net, a MeshAgent IP, and multiple ModeLoader URLs under kro.kr and o-r.kr domains.