SuperBear RAT was used against civil society targets and arrived through an AutoIT-based loader that hollowed explorer.exe, decrypted an embedded payload, and injected the PE into memory. The RAT created the mutex BEARLDR-EURJ-RHRHR, contacted hironchk[.]com over /id1, /id2, and /id3 paths, and checked C2 responses for the NdBrldr watermark. Supported commands included process and system discovery, upload of proc.db and sys.db, shell-command execution, and retrieval of base64-encoded DLL payloads for rundll32 execution. The analysis gives defenders concrete detection leads for AutoIT process hollowing, RWX memory in explorer.exe, the mutex, URI paths, and the upload endpoint /upload/upload.php.