NKNShell Malware Distributed via VPN Website
Malware

NKNShell Malware Distributed via VPN Website

AhnLab SEcurity intelligence Center (ASEC) has confirmed that malware has been uploaded to the website of a South Korean VPN provider. Based on the distribution method and characteristics of the malware used, this attack appears to be the work of the same threat actor who has been targeting South Korean

  • Nov 17 2025
Statistical Report on Malware Targeting Windows Web Servers in Q2 2025
Trend

Statistical Report on Malware Targeting Windows Web Servers in Q2 2025

Overview AhnLab SEcurity intelligence Center (ASEC) is using the AhnLab Smart Defense (ASD) infrastructure to respond to and categorize attacks against poorly managed Windows web servers. This report covers the current state of damage to Windows web servers which had become the target of attacks based on the logs identified

  • Jul 07 2025
Case of Attacks Targeting South Korean Web Servers Using MeshAgent and SuperShell
Malware

Case of Attacks Targeting South Korean Web Servers Using MeshAgent and SuperShell

Lately, attacks on South Korean web servers utilizing MeshAgent and SuperShell have been identified. The presence of ELF-based malware at the malicious code distribution address suggests that the attackers are targeting not only Windows servers but also Linux servers. It is assumed that the attackers installed a web shell using

  • Jun 23 2025
Andariel Group Exploiting Korean Asset Management Solutions (MeshAgent)
APT

Andariel Group Exploiting Korean Asset Management Solutions (MeshAgent)

AhnLab SEcurity intelligence Center (ASEC) recently discovered the Andariel group’s continuous attacks on Korean companies. It is notable that installations of MeshAgent were found in some cases. Threat actors often exploit MeshAgent along with other similar remote management tools because it offers diverse remote control features. The Andariel group exploited

  • Mar 11 2024
Sliver C2 Being Distributed Through Korean Program Development Company
Malware

Sliver C2 Being Distributed Through Korean Program Development Company

In the past, AhnLab Security Emergency response Center (ASEC) had shared the “SparkRAT Being Distributed Within a Korean VPN Installer” [1] case post and the “Analysis of Attack Cases: From Korean VPN Installations to MeshAgent Infections” [2] case post which covered the SparkRAT malware being distributed through a Korean VPN

  • Jul 25 2023
Analysis of Attack Cases: From Korean VPN Installations to MeshAgent Infections
Malware

Analysis of Attack Cases: From Korean VPN Installations to MeshAgent Infections

AhnLab Security Emergency response Center (ASEC) has previously covered the case where SparkRAT was distributed contained within a Korean VPN’s installer in the post, “SparkRAT Being Distributed Within a Korean VPN Installer”[1]. This VPN was commonly installed by Chinese users who required better access to the Internet, and the problem

  • May 22 2023