AhnLab analyzed a Windows Script File received from a customer that behaved like an APT delivery chain by displaying a decoy Korean HWP document while downloading and executing a malicious DLL. The WSF file embedded a normal HWP file, fetched a password-protected archive from a distribution server, validated the downloaded RAR content, extracted the payload using WinRAR or ALZip parameters, and loaded the decrypted fund.lis DLL through regsvr32.exe. The fund.lis payload established persistence by copying itself under an AppData Microsoft Protect path and registering a Run key, then exfiltrated host details such as MAC address and OS version to a C&C endpoint. It also periodically downloaded additional encrypted malware based on the victim MAC address, decrypted it, executed it via regsvr32.exe, reported success to the server, and deleted the temporary file. AhnLab detects the DLL as Trojan/Win32.Akdoor.C2358769.