ESTsecurity attributes a set of Rocketman campaign cases to the Geumseong121 threat group and states that a DPRK state-sponsored actor exists behind the activity. The group targeted South Korean North Korea-related organizations, diplomacy, security, unification, defense, and defectors, primarily through spear-phishing with HWP and XLS document files. The excerpt describes HWP exploit documents, XLS files abusing external data links and DDE-style PowerShell execution, and phishing lures such as payment-service cash receipt emails. Operator artifacts such as the easy and HighExpert account names, document metadata paths, OLE-embedded hwp.exe masquerading, UPX scrambling, and a reused PDB path provided OPSEC-failure evidence connecting newer HighExpert activity to earlier Rocketman reporting. Infrastructure references include youngs.dgweb.kr, 211.218.126.236 paths, and wooridz.com configuration files reused across related attacks.