VERY IMPORTANT

The report details two separate attack cases targeting a Korean medical institution's web server, resulting in the installation of CoinMiners. The targeted server was a Windows IIS server, likely with PACS software installed. In both attacks, web shells were uploaded, and system information was collected. The first attack involved the use of Chinese tools like Cpolar and installation of a CoinMiner. The second attack used different tools like EarthWorm and RingQ but had the same ultimate goal of installing a CoinMiner. Based on various indicators, the threat actors in both cases are suspected to be Chinese-speaking users.