ESTsecurity reported a February 2020 Operation Blue Estimate variant that masqueraded as a scanned resident-registration PDF tied to a former education-sector official. The malware used a double-extension SCR executable, displayed a decoy image, and dropped a 64-bit DLL named Hero.dll from embedded resources. The sample reused artifacts seen in earlier Blue Estimate activity, including the HelloSidney mutex, Korean-language build traces, MAC address and serial-number collection code, and an AppleSeed64 PDB path. The excerpt identifies mernberinfo.tech at 213.190.6.159 as C2 infrastructure and states that ESTsecurity believed the activity was linked to Kimsuky.