ESRC attributes Operation Korean Sword to Geumseong121, also tracked as APT37, Group123, RedEyes, and ScarCruft, and describes spear-phishing attacks against South Korean activists and organizations connected to North Korea issues. The campaign relied heavily on malicious HWP documents exploiting embedded EPS code, while the report also notes the group’s broader use of DOC macro lures and XLS files carrying Flash exploits. August and September variants shared document metadata such as the author strings gichang and User1, but changed execution logic from startup BAT files to VBS-triggered BAT chains. Later November activity used a spear-phishing email with a Korean “record sheet” HWP lure, rebuilt split payload components into an executable, and deployed a Themida-packed RAT that attempted information theft through pCloud infrastructure. The report identifies a pCloud token and the account [email protected] as infrastructure evidence tied to the attacker setup.