A Ricochet Chollima adversary simulation recreates Operation ToyBox Story, a March 2025 spear-phishing campaign against activists focused on North Korea. The lure impersonated a South Korea-based North Korea expert and used a Hangul-themed message about North Korean soldiers deployed to Russia to redirect victims from a fake document link to a Dropbox-hosted ZIP archive. The simulated chain uses a malicious LNK file, embedded PowerShell, Toy.Bat loader components, XOR-decoded in-memory shellcode, and a final payload capable of command execution. The payload design includes Dropbox API-based command-and-control and upload behavior, plus a TCP connection for encrypted command execution, illustrating how legitimate cloud traffic can obscure operator activity.