ESRC reported multiple attacks against South Korean defense-industry organizations during the ROK-U.S. joint military exercises that began on August 22, 2022. The activity used executable lures disguised as IP and MAC address lookup tools, double-extension JSE/VBS scripts, PIF files mimicking shortcut icons, and phishing pages imitating internal defense-company login services. Malware samples showed similar patterns and communicated with the same U.S.-hosted IP address, 216.189.154[.]6, while some lures appeared to reuse internal defense-sector documents protected by a Korean DRM solution. ESRC attributed the activity to Kimsuky/Thallium, linked to North Korea's Reconnaissance General Bureau, and assessed it as part of the ongoing Blue Estimate campaign targeting defense, aerospace, government-adjacent organizations, and related private experts.