AhnLab and South Korea’s NCSC Joint Analysis and Consultation Council reported malware from a government-supported hacking group that masqueraded as a security update installer. The payload was packaged with Inno Setup and used an install_script.iss script to create files under C:\ProgramData while registering installation entries that made it appear like normal software. After installation, the malware registered itself in the registry startup area for persistence, stole system information, and sent it to the attacker’s C2 server, while also supporting additional remote commands. Representative indicators in the source include MD5 c5e0a2b881a60fb3440bb78e9920dccd and the C2 domain pita1.sportsontheweb[.]net.