North Korea-linked Vedalia, also tracked as APT37, ScarCruft, and Reaper, is reported to have deployed the previously undocumented VeilShell backdoor in activity targeting Southeast Asian countries. The infection chain begins with spear-phishing emails carrying a ZIP archive and Windows LNK file, which runs PowerShell to extract a decoy document and malicious DLL. The DLL acts as a loader that retrieves JavaScript and downloads VeilShell from a remote server. VeilShell is a PowerShell-based RAT that contacts command-and-control infrastructure to collect and exfiltrate system information, manipulate files and registry keys, create scheduled tasks, and preserve backdoor access.