AhnLab ASEC analyzed Andariel attacks against South Korean enterprise software, including asset-management and document-centralization solutions, that deployed the SmallTiger malware. In asset-management cases, attackers appear to have abused control or update servers to issue malware installation commands, including replacing update programs with SmallTiger and using a keylogger that stored keystrokes in MsMpLog.tmp. The malware was used to enable RDP access, create or hide backdoor accounts with tools such as CreateHiddenAccount, perform reconnaissance commands, and in document-solution cases attempt web-shell deployment from infrastructure also associated with SmallTiger C2 activity.