ESRC describes Operation Rocket Man, activity attributed in the excerpt to the Geumseong121 group, which has targeted South Korean North Korea-related organizations and defense-sector entities. The August 2018 case used spear phishing in which attackers impersonated a South Korean corporate HR employee and linked to compromised Korean web infrastructure instead of attaching the lure directly. The malware posed as a PC security program, installed additional components in stages, and used .NET version-dependent execution with PDB paths referencing Ant and Rocket project directories. Configuration data was downloaded as an encrypted desktops.ini file, decrypted with XOR 0x17, and used to communicate through PubNub command-and-control channels; the excerpt also lists delivery and payload URLs under m.ssbw.co.kr. ESRC connects the tooling and infrastructure to earlier campaigns using HWP documents, cloud services, endlesspaws.com, and false-flag Chinese-language artifacts intended to confuse threat intelligence analysis.