AhnLab reports that RedEyes, also known as APT37, ScarCruft, and Reaper, targeted individuals such as North Korean defectors, human-rights activists, and university professors in May 2023. The attack chain began with spear-phishing that paired a password-protected benign document with a CHM file posing as the password file; opening the CHM launched MSHTA to retrieve scripts from attacker infrastructure and install a PowerShell backdoor with Run-key persistence. The group used a Golang Ably-based backdoor that fetched a Base64-encoded channel key from GitHub, exchanged UP/DOWN messages over Ably for command execution, and then used COM hijacking and fileless execution to deploy an information stealer. ASEC named the stealer FadeStealer and described screenshot capture, removable-media and smartphone data theft, keylogging, microphone eavesdropping, RAR-compressed exfiltration every 30 minutes, and C2 paths on 172.93.181[.]249.