Google TAG describes ARCHIPELAGO, a subset of APT43 activity it has tracked since 2012, as targeting people with expertise in North Korea policy, sanctions, human rights, and non-proliferation across government, military, think tank, academic, and research communities in South Korea, the United States, and elsewhere. The group uses rapport-building phishing that impersonates media outlets or think tanks, sends interview or RFI pretexts, and redirects victims to credential-harvesting pages or benign follow-up documents. TAG also reports browser-in-the-browser phishing, benign PDFs hosted on cloud services with embedded phishing links, password-protected malware attachments, and experiments encoding payloads or C2 commands in Google Drive file names. Google’s mitigations include Safe Browsing additions and government-backed attacker alerts for targeted Gmail and Workspace users.