FireEye assessed that exploitation of Adobe Flash zero-day CVE-2018-4878 was being carried out by TEMP.Reaper, a suspected North Korean group. The actor had historically focused on South Korean government, military, and defense targets, with interest in Korean unification and North Korean defectors, and had expanded to international targeting. The exploit chain involved malicious documents or spreadsheets with an embedded SWF file, retrieving a decryption key from compromised South Korean websites to unlock an embedded payload. Preliminary analysis indicated the vulnerability was likely used to distribute DOGCALL malware to South Korean victims, while FireEye also noted previously observed TEMP.Reaper wiper malware tracked as RUHAPPY but no active use against targets at that time.