BI.ZONE attributes a December 2024 recruiter-themed phishing campaign against an industrial organization to Squid Werewolf, also known as APT37, Ricochet Chollima, ScarCruft, and Reaper. The lure used a password-protected job-offer ZIP containing an LNK file that extracted embedded Base64 data, copied dfsvc.exe into the Startup folder as d.exe, wrote a .NET configuration file and DomainManager.dll, and opened a decoy PDF. The DomainManager loader used AppDomainManager side loading, obfuscation, a 10-minute anti-sandbox delay, timeapi.io connectivity checks, and AES-encrypted payload handling through DomainManager.conf or Hostwinds-hosted C2 paths. The campaign shows APT37 moving from document-heavy lures toward archive, shortcut, and executable chains for espionage access.