ESRC observed a Geumseong121 spear-phishing operation against people active in North Korea-related organizations, using sparse email lures that encouraged recipients to open an attached HWP file. The HWP contained a BIN0001.eps PostScript stream and shellcode that contacted a Korean website, then downloaded a GIF-disguised 32-bit EXE built in April 2019 and packed with UPX. The payload registered as sogoupin.exe and attempted C2 communication with youngs.dgweb.kr/skin15/include/bin/home[.]php, including the string srvrlyscss that ESRC linked to prior Geumseong121 activity. The report connects the case to Operation Black Banner and reused TTPs from Operation Rocket Man, Golden Bird, and High Expert, reinforcing a pattern of patched HWP vulnerabilities being repeatedly abused in Korean-language spear-phishing campaigns.