At least eight South Korean file-sharing and webhard service homepages were found serving malicious files after attackers modified site JavaScript and embedded obfuscated links. Visitors could be redirected through iframe-based code to a Taiwan-hosted domain where an Internet Explorer exploit downloaded an XOR-encoded payload named biz.exe, which was transformed during installation into a runnable a.exe. After infection, the malware created files under the user's Application Data path, replaced imm32.dll, created a hidden nt32.dll, and adjusted patching behavior depending on installed antivirus conditions. The installed malware was described as stealing online game user information, showing how high-traffic domestic webhard services were abused as drive-by distribution points after the 3.3 DDoS-related malware activity.