ESRC reports active Kimsuky spear-phishing against people in South Korean diplomacy, security, defense, unification, and North Korea-related fields. The Operation Fake Striker lure impersonated a Ministry of Unification sender and used deadline pressure plus deletion instructions to push a malicious HWP attachment disguised as denuclearization dialogue reference material. The HWP used password protection, BIN0001.eps PostScript content, XOR-decoded shellcode and payload data, and a 32-bit EXE that collected directory listings, system information, and process data. The payload attempted to communicate with nid2-naver-com.medianewsonline.com, reused Kimsuky-like WebKitFormBoundarywhpFxMBe19cSjFnG form data, and used the string tjdrhd16, which maps to a Korean keyboard phrase meaning “success16.”