A spear-phishing email impersonated the Korea Institute for National Unification and delivered a malicious HWP document disguised as an expert consultation request on the U.S.–ROK alliance and Korea-China relations. If opened, the document infected the system, collected host information, recently opened document lists, and running process data, then left the PC waiting for further attacker commands. The malware also disguised components as legitimate modules from domestic software and security companies. ESRC assessed the malware-building techniques and attack style as largely matching prior Kimsuky activity, while noting the actor attribution as an assessment based on those similarities.