AhnLab observed AppleSeed malware, a backdoor associated with Kimsuky APT activity, distributed as an executable disguised as an internet router firmware upgrade installer. When run, the file showed a fake firmware-update prompt and opened iptime.com while installing AppleSeed in the background. The malware ran from paths under ProgramData, including Firmware\Microsoft\Windows\Defender\AutoUpdate.dll and Software\ControlSet\Service\ServiceScheduler.dll, with regsvr32 execution and an /i argument used in recent anti-sandbox behavior. AhnLab says AppleSeed can receive C2 commands for information theft and additional payload delivery, with related cases installing RDP Patcher, HVNC, TightVNC, and Metasploit Meterpreter; listed infrastructure included fedra.p-e[.]kr, printware2.000webhostapp[.]com, and leomin.dothome[.]co.kr.