The reverse-engineering write-up details the SuperBear RAT used in a campaign against civil society groups, focusing on the AutoIT stage and the injected Windows payload. The AutoIT script was compiled and packed, then used process hollowing to inject a decrypted PE into explorer.exe, where analysts found the C2-related strings. SuperBear created the mutex “BEARLDR-EURJ-RHRHR,” connected to hironchk[.]com over URI paths such as /id1, /id2, and /id3, and checked returned HTML for the “NdBrldr” watermark. Its commands supported process and system-information exfiltration via files under C:\Users\Public\Documents, shell-command download and execution, and Base64-encoded DLL retrieval followed by rundll32 execution.