ESTsecurity warns that Lazarus and Thallium activity was increasing against South Korean experts and organizations in diplomacy, security, defense and unification, with some defense-industry and military specialists also exposed. The campaigns used tailored email lures, including an initial benign survey document followed by a password-protected malicious DOC promised with a cash honorarium, as well as ProtonMail infrastructure in Thallium-linked cases. The Lazarus-linked document embedded manipulated PNG data and used a WIA_ConvertImage macro flow to convert it to BMP and execute hidden malicious script, a steganography-style technique. The report cites abused Korean web C2 paths such as jinjinpig.co[.]kr and notes ALYac detection as Trojan.Downloader.DOC.Gen.