They have previously targeted specific individuals such as North Korean defectors and experts in North Korean affairs using hacking emails, Android app package file (.apk), and IE vulnerabilities. The North Korean threat actor TA-RedAnt (also known as RedEyes, ScarCruft, Group123, APT37, etc.) is behind this operation. TA-RedAnt exploited this vulnerability to trick victims into downloading malware on their desktops with the toast ad program installed. This vulnerability is exploited when the ad program downloads and renders the ad content.