APT37 used Facebook accounts presenting locations in Pyongyang and Pyongsong to identify targets, build trust through friend requests and Messenger conversations, and move victims toward Telegram delivery. The lure claimed encrypted military-weapons PDF documents required a dedicated viewer, leading targets to run a tampered Wondershare PDFelement installer named to resemble a security-related PDF viewer. The modified installer changed its entry point to execute shellcode from a code cave, then created a suspended dism.exe process, decrypted payload code, and injected it into remote process memory. The activity also abused the Seoul branch site of a Japanese real-estate information service as C2 infrastructure and used a JPG-disguised payload, showing an evasion-focused chain combining social engineering, PE patching, process injection, and legitimate infrastructure abuse.