ESRC reported a March 2019 watering-hole campaign against South Korean public and private policy sites and a reunification research organization visited by defense, diplomacy and North Korea-focused researchers. The intrusions injected obfuscated VBS/JavaScript exploiting CVE-2018-8174, launched svchost.exe, downloaded shellcode disguised as image files, and injected a decoded module into userinit.exe. The final malware collected system information, logged keystrokes, and attempted to steal document data such as HWP, DOC and PDF files. ESRC associated the infrastructure, including mail.membercp.net and redirects to hanmail.membercp.net, with Kimsuky activity and named the campaign Operation Low Kick.