Genians links this campaign to suspected APT37 activity using spear-phishing emails that deliver ZIP archives containing malicious LNK files. The lures included airline e-ticket confirmations, North Korea research event invitations, and impersonation of defense and police officials to induce execution. Once opened, the LNK reconstructs obfuscated commands through environment-variable substring expansion, launches batch files, and downloads additional payloads in a multi-stage chain. The final payload is Compiled Python bytecode disguised with a .cat extension and analyzed as a Python-runtime remote command execution backdoor, with overlaps to prior deepfake-themed military ID forgery activity and related C2 infrastructure abuse.