Genians links this campaign to suspected APT37 activity, describing spearphishing emails that deliver ZIP archives containing malicious LNK files. The lures include airline e-tickets, North Korea research event invitations, and impersonation of defense or police officials to induce execution. When opened, the LNK reconstructs obfuscated commands through environment-variable substitution, launches chained BAT scripts, and maintains C2 communication to fetch additional payloads. The final payload is a compiled Python bytecode backdoor disguised with a .cat extension, enabling remote command execution and follow-on actions such as persistence, file collection, and system information theft. The report notes continuity with earlier APT37-linked cases through similar social engineering, script obfuscation, multistage downloads, and overlapping Cafe24 and French-hosted infrastructure.