2026-03-27ììëìë³ê³ìë³ììì¹íëêëì¼ëììíëíìXCTDoorìíê³¼ì.pdf (1 MB)

HAURI analyzed a Korean campaign that disguised malware as a required integrated security installer used for banking and public-sector websites, with the archive mimicking Veraport by using a similar filename and normal-looking installation flow. The infection chain used DLL sideloading through a legitimate Microsoft utility and a hidden malicious credui.dll, then created scripts under public user folders and scheduled tasks named office365 and AdobeUpdate to stage additional payloads. HAURI links the activity to a suspected North Korea-related threat group based on an encrypted string key referencing Songun, while the delivery infrastructure included lengitan[.]info and hesenorm[.]info download paths. The final XCTDoor payload, loaded from Microsoft Edge-like paths as Go DLL components, supports system information collection, monitoring, remote command execution, additional malware download, and control of infected hosts.