ESRC attributed a malicious HWP document disguised as a 17th North Korea Mission School application form to the Geumseong121 threat group. The file contained embedded PostScript in its BinData stream and XOR-encrypted shellcode that loaded a final binary into label.exe or sort.exe. The payload attempted command-and-control through a Dropbox token and API commands, while the document metadata reused a User1 account observed in earlier Geumseong121 operations. The archive preserves the HWP hash and Exploit.HWP.Agent detection context for defenders.