ESRC identified an Operation Fake News spear-phishing campaign in April 2019 that impersonated South Korea’s Ministry of Unification and matched earlier 2018 ministry-themed activity attributed in the report to Geumseong121. The email used a spoofed ministry sender appearance, but header analysis showed Hostinger mail infrastructure and an authenticated sender at smellisgood.top, while an embedded beacon at 155.138.236.240/sec[.]png tracked whether recipients opened the message. The attached HTML masqueraded as a secure-mail page, pushed users toward Internet Explorer, displayed real Ministry of Unification images and text, and then contacted Google Drive to retrieve memo.utr. That file was disguised with a RIFF-like header, decoded through PowerShell, mapped in memory, and led to a final payload that exfiltrated victim information through pCloud. ESRC linked the tooling and design to earlier Geumseong121 cases, including the repeated “Seculity Mail” typo and prior false-flag Russian PDB strings.