Boannews reports that the Hanatour personal data breach was linked to a specific vendor solution that appears to have served as an attack entry point. Malware found at Hanatour was described as a variant similar to samples seen in an SI vendor intrusion and in other environments, including asset management and banking organizations. The article says the malware communicated with an IP range tied to a shopping mall server hosted through the SI vendor's IDC, which was suspected of being abused as command-and-control infrastructure. Researchers also noted similarities to malware used against Seoul ADEX participants and major Korean conglomerate affiliates, raising the possibility that the activity was part of the suspected North Korean Operation GoldenAxe campaign, though the report frames this as a likelihood rather than definitive attribution.