ASEC observed attacks against Korean defense and manufacturing organizations in which a threat actor abused a Korean ERP solution and compromised Windows IIS web servers to deploy Xctdoor and XcLoader. The ERP case resembles earlier Andariel tradecraft from 2017, where a malicious routine was inserted into an ERP updater to distribute the HotCroissant backdoor, but the recent activity is described as involving an unidentified threat actor. Xctdoor is a Go-based DLL backdoor executed through Regsvr32.exe, injected into normal processes, and persisted through files under a Microsoft Edge package path and a startup shortcut. Its capabilities include system profiling, command execution, screenshot capture, keylogging, clipboard logging, drive information collection, and HTTP C2 using Mersenne Twister and Base64-based encryption. The web-server cases involved XcLoader installation, command execution consistent with possible web-shell access, and Ngrok use to expose RDP access, making the activity significant for tracking ERP supply-chain abuse and DPRK-linked Andariel-adjacent techniques in Korean enterprises.