Huntress investigated targeted DPRK-backed APT activity against a nuclear or national-security think tank environment and identified BABYSHARK tradecraft in the intrusion. The actor maintained persistence through a scheduled task named GoogleUpdater that launched qwert.vbs via wscript.exe, then retrieved obfuscated content from a Google Drive page. The malware used johnbegin/johnend-style delimiters and staged normal.crp for later deobfuscation and VBScript execution, matching previously reported North Korean BABYSHARK techniques. The incident matters because the variant was customized to the victim environment, showing focused espionage rather than commodity malware deployment.