AhnLab attributed a January 2023 HWP attack to RedEyes/ScarCruft, also known as APT37, based on the use of steganographic payload delivery and persistence commands resembling earlier ScarCruft activity. The initial access vector abused the old Hangul EPS vulnerability CVE-2017-8291 in a document named “양식.hwp,” causing shellcode to download a JPEG that concealed an encoded PE payload. The decoded executable dropped and injected a new backdoor named M2RAT into explorer.exe, while Run-key persistence launched PowerShell and mshta against attacker-controlled HTML/HTA infrastructure. M2RAT provided remote control, keylogging, screen capture, process control, and document or audio exfiltration while using shared-memory sections and POST-body C2 to reduce host and network artifacts.