ESTsecurity reported that Geumseong121, a North Korea backed APT also tracked as APT37, Group123, RedEyes, and ScarCruft, used domestic political and social issues as lures in large LNK files. One attack impersonated an activist document about Kim Jong Un's Russia visit, showing a decoy HWP file while PowerShell and 182309.bat downloaded word1.jpg from OneDrive. The final stage connected to pCloud with hardcoded token values to collect and transmit files by extension and to download or execute additional payloads. A related oversized LNK lure about National Intelligence Service reform used the same behavior with a PDF decoy and profile32.jpg payload, and ALYac detections included Trojan.Agent.LNK.Gen, Trojan.BAT.Agent, and Trojan.Agent.889859A.