APT37, a North Korean state-backed cyber espionage group, has launched a sophisticated spear-phishing campaign targeting South Korean government sectors, research institutions, and academics. The attackers use malicious LNK files disguised as legitimate documents to deliver a multi-stage infection chain. This includes fileless PowerShell execution, in-memory loading of encrypted payloads, and covert data exfiltration mechanisms. The campaign, dubbed Operation HanKook Phantom, demonstrates APT37's continued focus on intelligence gathering and long-term espionage against South Korean targets. The attackers leverage cloud services for command-and-control and employ various techniques to evade detection, highlighting the persistent threat posed by North Korean state-sponsored actors.