ESRC assesses that a year-long sequence of Korean spear-phishing activity is likely directly or indirectly connected to the Thallium group, which Microsoft had linked to targeting government, think-tank, university, human-rights, and related victims. The activity focused on Korea-linked targets such as political, diplomatic, security, unification, defense, North Korea research, journalism, defector, and human-rights communities. Attackers delivered malicious HWP and DOC lures by email, using PostScript and shellcode in HWP files or VBA macros and PowerShell in DOC files to execute commands, collect system information, and stage additional payloads. The infection chains contacted C2 infrastructure such as mypressonline, scienceontheweb, atwebpages, and mygamesonline subdomains, reused multipart upload strings, and downloaded encoded files that were decoded into zyx.dll or similar follow-on modules. The cases show persistent targeting of Korea and North Korea policy communities through document lures, changing C2 paths, and repeated payload conventions across multiple months.