ESRC reports a North Korea-attributed spear-phishing attack using an HWP document disguised as an invitation to appear on a KTV YouTube policy program. The lure targeted specialists in North Korea-related fields and used a malicious OLE object that displayed a fake higher-version document message rather than exploiting a Hancom Office vulnerability. Embedded batch and PowerShell commands attempted communication with work3.b4a[.]app, a server ESRC says had appeared repeatedly in North Korea-linked incidents. The activity showed overlaps with the Kimsuky-linked Kumsong121 cluster, including Yandex email use and abuse of foreign cloud services to store stolen personal data.