UNC2970, a North Korean-linked cluster associated in the excerpt with Lazarus Group, TEMP.Hermit, and Diamond Sleet, used job-themed phishing to target senior employees in the energy and aerospace sectors. Victims were sent tailored recruiter lures and malicious ZIP archives containing job descriptions that required a trojanized Sumatra PDF reader to open. The infection chain used the BURNBOOK launcher to execute a malicious DLL and deploy the MISTPEN backdoor, a lightweight C implant that communicates with command-and-control servers over HTTP and can fetch additional payloads. The report notes that the actors have iteratively improved MISTPEN and BURNBOOK, including earlier use of compromised WordPress sites and communication masked through legitimate Microsoft Graph URLs. The activity matters for critical-sector defenders because it targets high-value personnel likely to hold sensitive strategic or technical information.