ESRC reported a Geumseong121 operation targeting people connected to North Korean defector support, using a two-stage spear-phishing approach rather than a direct malicious attachment. The lure delivered a text file with a shortened URL that led to Dropbox-hosted Windows EXE and Android APK malware, combining desktop and mobile targeting in the same campaign. The Windows payload masqueraded as a JPG viewer and the broader activity used steganography and follow-on C2 infrastructure to evade casual inspection. The case shows Geumseong121 expanding beyond HWP-only lures into multi-platform social engineering against Korea-focused targets.