ESRC reported a spear-phishing campaign in which attackers impersonated business counterparts by abusing reply-chain context and spoofed sender names to make malicious emails appear trustworthy. The emails carried EGG archives containing PIF executables, which displayed decoy PDFs for items such as inspection documents or laptop quotations while launching IconCache.tmp.pif in the background. ESRC identified IconCache.tmp.pif as the PebbleDash backdoor, capable of connecting to attacker-controlled C2 for file download, upload, and execution commands. The C2 server appeared to be a hacked site with an inserted web shell, and ESRC linked the activity to suspected Kimsuky operations based on PebbleDash use and a web shell matching infrastructure previously associated with the group. The case highlights continued use of trusted business-email context, uncommon executable extensions, and decoy documents to improve phishing success against corporate users.