AhnLab observed increased use of password-protected HWP documents in targeted attacks against selected people or organizations. The attackers delivered the document password by email so only intended recipients could open the file, and malicious behavior executed after the password was entered. The password protection changed the file binary and helped evade structural or signature-based antivirus detection before execution. In the cited November 2019 case, a malicious HWP file embedded a PostScript/EPS component that created a malicious PE file in the Windows startup path, making post-execution behavior and file-creation controls important detection points.