APT37, also known as ScarCruft, was observed exploiting CVE-2024-38178 in JScript9.dll against a specific organization in South Korea in June 2024. The intrusion abused a hacked domestic advertising-agency server to insert malicious code into ad_toast.html delivered by Toast ad software, triggering remote code execution through the Internet Explorer scripting engine. The exploit is described as a type-confusion issue that bypassed the earlier CVE-2022-41128 patch by modifying prior exploit logic with a small number of added lines. The chain ultimately ran ROKRAT through a Ruby-based malicious script and used cloud storage services including Yandex and pCloud for information theft and data upload/download, making patching Windows cumulative updates and disabling IE mode in Microsoft Edge relevant mitigations.