Attackers compromised the update server of a remote support solutions provider to deliver malicious updates to targeted organizations in South Korea. The malicious update was signed using a valid certificate stolen from the remote support solutions provider
Attackers first compromised the update server, then configured the server to only deliver malicious files if the client is located in the range of IP addresses of their target organizations.
N/A
It appears the attackers compromised the publishing infrastructure, as well as signing keys for updates.