ESRC documented a Geumseong121/Kimsuky-linked HWP spear-phishing case that shifted from PostScript-style HWP exploitation to abuse of embedded OLE objects. The lure email carried an HWP participation-application form; clicking the transparent full-page object invoked an embedded HncApp.exe from the temporary folder, relying on user interaction rather than a software vulnerability. The executable decoded an embedded payload with XOR, copied itself as IDMhelpAssist.exe under Public Documents, set an HKCU Run key named IDMhelp, and used PowerShell to contact price365.co[.]kr/abbi/json/ps/aa.php. The report links that infrastructure to earlier Geumseong121 activity and warns that OLE-based document attacks can remain effective even on updated HWP installations if users approve embedded-object execution.