ScarCruft targeted South Korean financial institutions, universities, and individual users with ZIP/RAR lures that delivered Chinotto PowerShell backdoors or an InfoStealer. The campaign used Korean financial and insurance themes, including encrypted decoy documents that required a target birthdate or password, and malicious LNK/CHM files hosted on public websites. One chain unpacked a fake XLSX LNK and BAT script, persisted via `UserProfileSafeBackup.bat`, invoked mshta, and contacted `75.119.136.207` and `bian0151.cafe24.com` for Chinotto commands. Other CHM chains masqueraded as HanaCard, KBank, DB Insurance, or university-related documents, with the InfoStealer collecting browser, recent-file, and registry artifacts before uploading them to attacker infrastructure.