ASEC attributed a May 2023 campaign to RedEyes/APT37, also known as ScarCruft/Reaper, targeting individuals such as North Korean defectors, human-rights activists, and university professors. The intrusion used spear-phishing attachments that paired a normal password-protected document with CHM malware disguised as a password file; executing the CHM launched MSHTA and a PowerShell backdoor with autorun persistence. Later stages used an Ably-based GoLang backdoor that retrieved its channel authentication key from GitHub, enabling command exchange, privilege escalation, exfiltration, and additional malware delivery. ASEC also observed a previously unknown infostealer with wiretapping features, underscoring RedEyes’ focus on monitoring specific individuals.