down-01-1.pdf (8 MB)

The ScarCruft threat-tracking material summarizes a campaign against North Korean defectors and related targets attributed to the APT37/Ricochet Chollima cluster. The attack flow used email links or attachments to download Office documents, load macros or scripts, and retrieve malicious scripts from attacker-controlled C2 paths. The slides list follow-on host compromise artifacts, UltraVNC configuration files, Golang-based command-and-control activity, plugin PDB paths, and victim-investigation commands useful for hunting and defend-forward operations.