NSHC’s March 2023 ThreatRecon report says SectorA activity was the most prominent cluster during the collection window, with five SectorA groups active across Ukraine, South Korea, the United States, Singapore, and Pakistan. The DPRK-relevant sections describe finance and investment lures using malicious Excel files, CHM malware packaged in RAR files, Word macro documents, police-themed spear phishing against North Korea policy workers, and ZIP-delivered LNK malware disguised as tax-audit documents. Reported payload behavior included macro or MSHTA-driven downloads from C2, scheduled-task or registry persistence, keylogging, clipboard collection, and host/process/file/network reconnaissance.