AhnLab analyzed a malicious HWP document impersonating a cryptocurrency company policy update and using a linked object/OLE executable named hanwordupdate.exe to trick users into launching it. The embedded EXE contains a Base64-encoded PowerShell script that copies itself from %TEMP% to %APPDATA%\svchost.exe and registers a HyperServer Run key for persistence. It builds a victim identifier from the system BIOS serial number and contacts http://kjdnc.gp114.net/data/log/do.php for command-and-control. If the attacker responds, the malware can execute commands, upload files to the C2, and download additional payloads, consistent with an APT-style document intrusion.