LilacSquid, also tracked as UAT-4820, is described as an espionage-focused actor active since at least 2021 against U.S. IT firms, European energy organizations, and Asian pharmaceutical companies. The report states that LilacSquid’s tactics resemble North Korean groups such as Andariel and Lazarus, while noting possible shared tools, infrastructure, or resources rather than proving attribution. Initial access comes through vulnerable internet-facing application servers or compromised RDP credentials, followed by deployment of MeshAgent, proxy and tunneling tools, and the InkLoader/PurpleInk implant chain. PurpleInk is a QuasarRAT-derived backdoor that collects system, process, drive, folder, and file information and supports remote shell and proxy communications. The DPRK relevance is the overlap with Andariel/Lazarus-style tradecraft, especially the use of remote management tooling, loaders, and long-term access for data theft.