The KHNP incident combined destructive-malware emails, compromised KHNP-related mail accounts, stolen employee, retiree, and contractor documents, public leak-and-shutdown threats, and limited host impact rather than disruption of nuclear plant operations. Korean investigators reported thousands of destructive emails to KHNP employees, eight infected PCs, five initialized hard disks, Hangul Word Processor exploit and malware similarities to Kimsuky tooling, and infrastructure traces involving Chinese Shenyang IP ranges, a Korean VPN provider, and North Korean/KPTC-assigned IP access.