Trend Micro reported that Andariel compromised South Korean websites to run reconnaissance scripts against visitors before possible follow-on exploitation. The injected JavaScript collected browser type, system language, Flash and Silverlight versions, and ActiveX object availability, extending earlier reconnaissance associated with Operation GoldenAxe. The newer script checked for ActiveX objects tied to South Korean DRM and voice conversion software and also probed local WebSocket ports 45461 and 45462, suggesting interest beyond Internet Explorer-only ActiveX targeting. The activity matters because Andariel had previously used similar pre-exploitation profiling before deploying an ActiveX zero-day, making these compromised sites and collection endpoints useful warning indicators for South Korean public-sector and institutional targets.