NSFOCUS describes APT37 as a North Korea-linked actor whose delivery tradecraft is shaped by its focus on South Korea, defectors and political targets. The report details repeated use of spear-phishing with malicious Hangul Word Processor documents, including PostScript and EPS exploit paths such as CVE-2013-0808 and CVE-2015-2545, to deliver RokRat and PoorWeb in operations including Evil New Year 2018, Black Banner, Korean Sword and Printing Paper. It also notes APT37’s broader execution methods, including HWP hyperlink sideloading, HTML and DOC attachments exploiting ActiveX or CVE-2017-11882, steganographic JPGE loaders, Android spyware and watering-hole pages aimed at defectors and supporters.