AhnLab and South Korea’s National Cyber Security Center joint analysis group reported malware distributed as a fake security update installer by a state-backed hacking group. The malicious installer was built with Inno Setup and contained an install_script.iss script that wrote malicious files under C:\ProgramData and registered installation information in Programs and Features. After execution, the malware registered itself in startup-related registry locations for persistence, stole system information, sent it to the attacker’s C&C server, and could execute additional remote commands. AhnLab identified the threat as Dropper/Win.FakeGovuki and provided representative indicators including MD5 c5e0a2b881a60fb3440bb78e9920dccd and the defanged domain pita1.sportsontheweb[.]net.