Hunt observed XenoRAT distribution using gaming-themed .gg domains, a GitHub account posing as Roblox scripting tools, and a likely linked YouTube channel that instructed users to disable Windows Defender. The report notes prior links between XenoRAT and North Korea-linked activity, including an ASEC report on Dropbox delivery and an open directory likely run by Kimsuky that hosted the tool. The newly described infrastructure includes multiple gl.at.ply.gg controller domains, shared Developed Methods LLC IP space, and samples disguised as Roblox executors or Synapse X launchers. One related archive also delivered Quasar through portmap.io, showing the campaign mixed open-source RAT tooling with gamer-focused lures.