Unit 42 identified a Bisonal campaign that targeted at least one Russian defense-related communications security company and one unidentified South Korean organization in early May 2018. The attackers used spear-phishing with a Windows executable disguised as a PDF and displayed a Rostec housing-project decoy to make the lure credible to the Russian victim. The dropper decrypted an embedded Bisonal DLL and decoy file with the RC4 key "34123412," wrote them under Windows Temp, and configured Run-key persistence through rundll32. The excerpt also notes common Bisonal tradecraft—government, military, and defense targets in South Korea, Russia, and Japan; occasional DDNS C2; target or campaign codes; and decoy documents—making the campaign useful for hunting related Bisonal activity.