One of the most active APT groups in Asia is Naikon, known for its custom backdoor, called RARSTONE. The name Naikon comes from a custom user agent string, NOKIAN95/WEB located within the backdoor: “Nokian95″ The name of the group comes from the NOKIAN-NOKian-Web string in the backdoor. The target decided not to open the document and instead of opening it, they decided to check the story with the sender.”]
Source: https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/