ESRC identified Operation Golden Bird as a March 2019 spear-phishing campaign aimed mainly at South Korean figures working on North Korea-related affairs, diplomacy, security, unification, defense, defector, and civic organization issues. The lure used a Korean HWP resume document that relied on a hyperlink to execute a bundled screen-saver masquerade payload, desktop.scr, rather than embedded EPS or OLE content. The payload decoded embedded data with XOR 0x59, downloaded additional content from inhyunits.co.kr, installed a Startup persistence module as iCloud.exe, and displayed a decoy image to preserve the resume pretext. A later stage used UPX packing with section scrambling, checked MAC address patterns associated with VMware or VirtualBox, and contacted youngs.dgweb.kr/skin15/include/bin/visab.php for command-and-control. ESRC connected the activity to Rocket Man-related operations and noted overlaps with other campaigns targeting South Korean government, defense, and North Korea-focused communities.