AhnLab reports that Andariel continued attacks against South Korean enterprise software in late 2024, primarily installing SmallTiger through compromised or vulnerable management solutions. The cases include long-running exploitation of asset management systems, possible takeover of exposed update servers through brute-force or dictionary attacks, replacement of update programs with SmallTiger, and use of a keylogger that writes keystrokes to MsMpLog.tmp. SmallTiger was also used to enable RDP, while the open-source CreateHiddenAccount tool created a concealed backdoor account for persistence. A separate document-management case involved outdated Apache Tomcat servers, basic host reconnaissance commands, Advanced Port Scanner, and a suspected web shell downloaded from 45.61.148[.]153, which AhnLab also identifies as SmallTiger C2 infrastructure.