ESRC analyzed a malicious HWP document disguised as analysis of North Korea’s 2018 New Year address and assessed it as part of an ongoing spear-phishing pattern against Korean targets. The document embeds an Encapsulated PostScript component that runs shellcode, decrypts a C2 reference, and loads a PNG file from 60chicken.co.kr containing additional hidden shellcode. The payload operates in memory as fileless malware, includes anti-VM behavior, and can receive additional commands from overseas cloud services. ESRC connected the attack code to earlier HWP exploit campaigns using political and security-themed lures, including activity observed against Korean institutions, election-related entities, and North Korea-focused organizations.