ESRC attributes Operation Printing Paper to the government-backed Geumseong121 cluster after a new malicious HWP file from April 2019 reused academic-conference content as a spear-phishing lure. The HWP contained a BIN0001.eps PostScript stream that wrote SamsungPrinter47.vbs into the Startup path and launched Cache62.bat from %appdata%. That batch file combined split .wta01 fragments into SamsungVer3.01.03Printer.com, disguising the assembled executable as a Samsung printer component. ESRC compares the EPS structure and document-author artifacts with the earlier “Delphi survey” case and Operation Korean Sword, arguing that Geumseong121 repeatedly reused the same HWP exploitation and staged file-assembly tradecraft against South Korean targets.