Prelude describes an APT38 spear-phishing chain against pharmaceutical companies in 2020 that used ISO containers to bypass Mark-of-the-Web propagation. The tradecraft packages a decoy job-offer PDF with an application inside an ISO built using PackMyPayload, causing payload contents to be treated as local files after a victim mounts the image. The report highlights MOTW trust-control subversion as the key initial-access and defense-evasion behavior and notes follow-up job-posting pretexts used to sustain the lure.