KSystem ERP
KSystem ERP update program compromised.
The KSystem ERP update program was compromised by the Andariel group, turning ClientUpdater.exe into a delivery path for Xctdoor. The malicious routines enabled data theft and remote control, placing an espionage backdoor inside the operational rhythm of enterprise resource planning software.
- Date
- 2024-05-01 to 2024-05-31
- Category
- Commercial
- Target Surface
- Distribution
- Insertion Phase
- distribution
- Impact
- Data theft
- Cause
- Server compromise
What Was Affected
Package
KSystem ERP
LanguageC
ComponentApplication
Artifact typebinary archive
Domain typeproject download host
Domain
ksystem.co.kr
Incident Context
- Motive
- Espionage
- Attribution
- Nation-state
- Transitive
- No
- Observed Duration
- 30 days
Evidence
Compromised Artifacts
- devout.ksystem.co.kr
- ClientUpdater.exe (via KSystem ERP update mechanism)
Current Artifacts and Analysis
Indicators and Changes
Hashes
md5:ab8675b4943bc25a51da66565cfc8ac8md5:f24627f46ec64cae7a6fa9ee312c43d7md5:ad96a8f22faab8b9c361cfccc381cd28md5:9bbde4484821335d98b41b44f93276e8md5:11465d02b0d7231730f3c4202b0400b8md5:2e325935b2d1d0a82e63ff2876482956
External References
Source Data
Source record: proprietary/ksystem/meta.yaml