The source attributes a November 2023 billing themed HTML and LNK malware chain to APT37, also known as Reaper, Group123, RedEyes, ScarCruft, or Ricochet Chollima. The lure is distributed as a ZIP containing an HWP decoy and a malicious LNK that launches obfuscated PowerShell, extracts embedded HTML and VBS data from the LNK, deletes the original shortcut, and runs a VBS payload from the public Libraries path. The write up frames the activity as part of APT37 tradecraft for espionage and information theft against South Korean and regional targets, with RokRAT style behavior including credential theft, data exfiltration, screenshots, system information collection, command execution, and cloud service based C2. Representative indicators include the defanged URL ebpp.airport[.]kr/mail.do and hashes for the ZIP and LNK samples.