ESRC observed a spear-phishing attack impersonating a South Korean security and unification research center and delivering a ZIP archive with three HWP documents, one of which was malicious. The malicious HWP, themed around North Korean political operations, contained an obfuscated BIN0002.ps PostScript stream that decoded with an XOR 0xA4 routine and injected malicious code into a legitimate process. The final payload was built on July 2, 2019 and used a Dropbox token for command-and-control communications, exposing selected targets to possible follow-on activity. ESRC attributed the operation to the Geumseong121 group and noted that updated Hancom Office versions were not affected by the exploited HWP condition.