ESRC reports that the North Korea-linked Thallium group used malicious PDF documents in attacks against current and former South Korean personnel in diplomacy, security, defense, unification, and North Korea-related research. The campaign is assessed as an extension of the Fake Striker threat activity, moving beyond the group’s familiar malicious DOC macro lures to PDF exploitation between May and August 2021. The PDFs contained hidden script code that executed Base64-encoded shellcode and payload components, checked for VMware and domestic security software, and communicated with tksRpdl.atwebpages[.]com C2 infrastructure. ESRC highlights reused Thallium communication strings such as “WebKitFormBoundarywhpFxMBe19cSjFn” and warns that PDF files should not be treated as inherently safe in these target communities.