ESRC identified a malicious Word document distributed as a Klip digital asset wallet customer-center notice, using the filename '[Klip Customer Center] Wrong Token Transfer Resolution Guide.doc'. The document used protected-content social engineering to persuade users to enable macros, then dropped an XML-formatted file and attempted to contact command-and-control infrastructure. ESRC attributed the activity to the Smoke Screen campaign associated with Thallium, also known as Kimsuky, and noted that the C2 was unavailable during analysis. The report provides two defanged C2 URLs under asenal.medianewsonline.com and states that Alyac detects the file as Trojan.Downloader.DOC.Gen.