– Sent a phishing email disguised as a Microsoft security alert using a Proton Mail account

– Prompted recipients to click a link in the email to access a credential collection site

– Distributed malware through an HTML attachment

·         Phishing for collecting credentials

·         Distributing Malware Using an HTML Attachment

·         Command and Control (C2) Communication Using PowerShell

·         In February 2025, the threat actor targeted Ukrainian government agencies to collect credentials and distribute malware

·         It is considered that the attack was part of the threat actor’s efforts to evaluate the risk level of their own troops and potential requests for additional support, following North Korea’s deployment of troops to support Russia in the fall of 2024

– Distributed the ZIP Compressed File Containing a Dropbox Link via Spear Phishing Email

·         Additional malware being executed when the LNK shortcut file inside a compressed file is executed

·         Spear phishing

·         Executed malware via LNK files

·         Distributed malware using Dropbox

·         Utilized Living off Trusted Sites (LoTS)

·         Utilizes the LoTS technique, which involves employing a legitimate cloud service as a command and control (C2) server, and deploys various attack strategies such as watering hole, spear phishing, and SNS phishing

·         Aside from Windows-based attacks, the group also targets Android users with malicious apps (APKs) and macOS users

·         TOUGHPROGRESS

·         PLUSDROP

·         Using Google Calendar as a C2 channel

·         Executing payload in memory

·         Encryption and compression

·         Process Hollowing

·         Control flow obfuscation