BLACKSHEEP is preserved as an Andariel-linked South Korea incident through FSI’s Rifle campaign archive, which grouped BLACKSHEEP with other linked intrusions and malware cases assessed as activity by the same attacker. The available evidence is limited but places the case in a Korea-focused Andariel/Rifle cluster involving malicious-code profiling and Hangul document tradecraft against domestic targets.