VERY IMPORTANT

A South Korean VPN provider's website has been compromised to distribute malware, likely by the Larva-24010 threat actor active since 2023. The attack installs various backdoors including MeshAgent, gs-netcat, and a new Go-based backdoor called NKNShell. NKNShell uses NKN and MQTT protocols for C2 communication, allowing attackers to control infected systems and steal sensitive information. The malware distribution process involves a trojanized installer, PowerShell scripts, and multiple stages of payload downloads. Additional tools like SQLMap are also deployed. The attack targets Korean VPN users and showcases sophisticated techniques including AMSI bypass, UAC bypass attempts, and the use of blockchain-based networking protocols for evasion.