The INITROY incident involved a compromised financial information security company whose stolen code-signing certificate was used to make malware appear legitimate and distribute signed payloads to organizations via an academic association website server. Linked analysis described downloader and backdoor behavior including service-based persistence, encoded strings, command execution, additional malware download, host-information collection, C2 communication, and North Korea-linked investigative evidence, with FSI later grouping INITROY in the Andariel/Rifle activity set.