The threat actor appears to set the attack targets in advance and distribute malware after continuously collecting relevant information. The malware that is launched through the above process is XenoRAT which can perform various malicious behaviors such as loading malware, launching and terminating processes, and communicating with the C2 server based on the threat actor’s commands. Given that the threat actor also uses files disguised as documents such as money deposit contracts, insurance, and loans that include the personal information of specific individuals, it appears that they distribute malware to specific designated targets. [1][2][3] The threat actors mainly upload malicious scripts, RAT malware strains, and decoy documents onto the cloud servers to perform attacks.