Andariel activity is reported to involve abuse of MeshAgent as command-and-control tooling against South Korean companies. The source says the operators downloaded a MeshAgent C2 component named fav.ico from an external source and used lateral-movement activity to deploy malware families including AndarLoader and ModeLoader. Because MeshAgent is a remote administration tool with command execution, remote desktop, VNC, power, and account-control features, defenders should distinguish legitimate administration from suspicious installation paths, external retrieval, and follow-on loader execution. The archive is useful for detection work around remote-management-tool abuse, DPRK-linked intrusion operations, and Korean enterprise targeting.