APT37 used Facebook accounts presenting locations in Pyongyang and Pyongsong to identify targets, build trust through friend requests and Messenger conversations, and move victims toward Telegram delivery. The lure claimed encrypted military-weapons PDF documents required a dedicated viewer, leading targets to run a tampered Wondershare PDFelement installer named to resemble a security-related PDF viewer. The modified installer changed its entry point to execute shellcode from a code cave, then returned to normal installation behavior while enabling initial compromise. Follow-on activity abused the Seoul branch site of a Japanese real-estate information service as C2 infrastructure and delivered a JPG-disguised payload, highlighting a chain built around legitimate software tampering, legitimate infrastructure abuse, and extension masquerading.