AhnLab analyzed RedEyes/ScarCruft malware distributed as malicious LNK files, including a REPORT.ZIP archive hosted on a legitimate site and disguised with a decoy Korean public-agency Excel document. When executed, the LNK used PowerShell to extract the decoy XLSX and a BAT script, copied the script into the user profile, and registered RunOnce persistence under HKCU. The decoded PowerShell chain invoked mshta to retrieve additional script code and communicated with 75.119.136[.]207 and bian0151.cafe24[.]com for command retrieval and result reporting. Supported commands included clipboard and process collection, file listing, command execution, plugin download, file download, and upload, showing an actively maintained backdoor capability.