Kaspersky describes ScarCruft/APT37/Temp.Reaper activity against North Korean defectors, journalists covering North Korea, and Korean Peninsula-related organizations after assisting a compromised news organization. The investigation found a victim infected with PowerShell malware, evidence of months-long surveillance and data theft, and attempts to phish the victim’s associates with stolen Facebook and email credentials. ScarCruft used a password-protected RAR archive carrying a malicious Word document with a North Korea-themed lure; the macro chain checked for Kaspersky components, modified Office macro trust settings, decrypted shellcode, and attempted to fetch a next-stage payload from a defanged OneDrive URL. Related PowerShell, Windows executable, and Android malware families shared HTTP-based command-and-control logic, and logs from compromised servers exposed additional South Korean victims and infrastructure used since early 2021.