AhnLab ASEC analyzed malicious HWP documents themed around the U.S. presidential election and North Korea that used embedded OLE/VBS content resembling earlier HWP link-object attacks. When executed, the document dropped hancom.configuration.vbs under a user temp path and used it to contact xeoskin.co[.]kr under /wp/wp-includes/SimplePie/Net/. The retrieved commands modified Microsoft Office VBA warning settings, collected Office version, system information, and recent-file data, and registered an hourly AhnlabUpdate scheduled task to run mshta against suf.hta. ASEC detected the activity as Exploit/HWP.Generic and Trojan/VBS.Agent, highlighting continued abuse of Korean document workflows for persistence and host reconnaissance.