ESRC reports that the operators behind Venus Locker shifted from ransomware activity seen in Korea since late 2016 to distributing malware that secretly mines Monero. The campaign used fluent Korean spear-phishing emails, including lures sent to nurse recruitment contact addresses exposed on Korean medical facility websites. Attachments contained disguised LNK shortcuts and hidden executable malware; the shortcuts masqueraded as image or document files but launched the embedded EXE. After execution, the malware checked for Sandboxie, VMware, and VirtualBox, changed registry settings to disable tools such as CMD, Registry Tools, Task Manager, and UAC, and injected Monero mining code into a legitimate process. The activity is operationally relevant because it shows a Korea-tailored threat actor reusing Venus Locker-style delivery tradecraft while changing the payload objective from extortion to covert cryptocurrency mining.