AhnLab reports malicious Hangul Word Processor documents themed around North Korea-related construction activity that rely on embedded objects and a user-clicked hyperlink rather than an exploit. When the lure is opened and clicked, a legitimate OneDrive updater side-loads a malicious iphlpapi.dll, decodes embedded payloads into AppData, hides V3 detection windows, and registers a scheduled task to run every 121 minutes. The chain moves VBS and PowerShell components into the user profile, displays a benign HWP decoy, and retrieves attacker-controlled instructions through Google Drive and Google Docs, allowing later commands against infected hosts. The report highlights the continued use of HWP lures in Korea-focused activity and lists detections including Dropper/HWP.HyperLink and Trojan/Win.Kimsuky.C4848645.