Unit 42 linked NOKKI-related delivery activity to Reaper Group tradecraft by identifying a World Cup lure document that ultimately executed DOGCALL, a RAT publicly associated with North Korea-linked Reaper activity. The malicious Word macro used a distinctive base64-to-hex deobfuscation routine, downloaded a remote VBScript wrapped in HTML, and then staged additional payloads from kmbr1.nitesbr1[.]org. The second stage wrote configuration data under the user’s Microsoft application data path, downloaded files masquerading as images, and launched an executable and DLL pair that Unit 42 named Final1stspy. Final1stspy decrypted and loaded a DLL, established persistence through a Run key pointing to ieConv.exe, collected basic system information, and communicated with a hardcoded URL using the user-agent “Host Process Update.” The evidence matters because it connects lure-based document delivery, a new dropper family, and DOGCALL deployment in activity aligned with Reaper’s North Korea-linked targeting.