The North Korean APT uses a clever technique to bypass security products by embedding one of its payload as a BMP image. The attack likely started by distributing phishing emails that were weaponized with a malicious document. The document creation time is 31 March 2021 which indicates that the attack happened around the same time. This is because the document contains a PNG image that has a compressed zlib malicious object and since its compressed it can not be detected by static detections. Then the threat actor just used a simple conversion mechanism to decompress the malicious content.”]