Operation GoldenAxe2 describes North Korean malware distributed through a watering-hole attack on the Sejong Institute, a South Korean think tank focused on reunification, diplomacy, and security. The campaign exploited an ActiveX vulnerability in AcubeFileCtrl.ocx before patched version 2.3.0.4, using ShellExecute to download and execute malware. Injected JavaScript such as jquery-1.5.3.min.json collected browser and ActiveX installation details, base64-encoded the data, and sent it to alphap1.com. The malware connected to a C2 server, authenticated with fixed base64-encoded data, used RC4 with key 1234567890, sent host details including computer name, user name, IP, MAC address, and OS version, and executed commands through cmd.exe. The activity is tied in the excerpt to the GoldenAxe organization, described as a North Korean group that had exploited Korean ActiveX software for years against Korean companies and organizations.