ESRC reported an increase in North Korea-backed hacking that used financial-company notices and North Korea-related internal-information lures against people working in the North Korea field. One campaign impersonated a domestic credit card billing notice and used a crafted email area that appeared to contain an HTML statement file, but clicking it redirected victims to a phishing site designed to steal account credentials. The activity used 162.216.224[.]39 as the sending source and bigfilemail[.]net as command-and-control infrastructure, with ESRC noting a North Korean spelling clue in an error message observed during C2 analysis. The report also describes HWP malware abusing OLE package content, hidden hexadecimal code, and PowerShell commands to communicate with work3.b4a[.]app while using North Korea internal-information themes as bait.