360 Threat Intelligence Center analyzed APT-C-28, also known as ScarCruft, activity targeting South Korea with Chinotto components. The excerpt shows LNK based delivery commands that extract Korean-language decoy documents and batch scripts from oversized shortcut files, including a seminar-themed PDF and a survey spreadsheet. The report says the group used phishing pages to collect victims' personal information, configured persistence on each execution, and varied remote connections loaded at startup. 360 assessed the memory-loaded Chinotto Trojan as feature rich and likely only partly disclosed based on the observed command set.