Alyac reports a backdoor distributed with a valid certificate from a well-known Korean company, likely to reduce user suspicion and evade detection. The malware is an SCR executable disguised with a PDF-like icon and extracts a decoy PDF to the user's temporary directory before dropping config.dat under the Public folder. The config.dat payload is a malicious DLL loaded through rundll32.exe, establishes persistence through a service or registry key depending on privileges, and communicates with C2 using either a DATA_CONF file or embedded RC4-decrypted configuration. Its supported commands include process execution, configuration changes, C2 switching, file deletion, persistence removal, file transfer, and screen capture.