ESRC reported a spearphishing campaign using a malicious Microsoft Word document about Biden-era North Korea denuclearization negotiations and regime-security guarantees. The email delivered a download URL disguised to resemble a Korean portal service; when the document was opened, it prompted the victim to enable macros before showing decoy content relevant to North Korea policy. The macro invoked mshta against naver.midsecurity.org, registered a scheduled task named Microsoft Office Update, collected system, process and user-directory information, and sent it to the same C2 infrastructure. ESRC noted similarities to previous Thallium activity, including a distinctive WebKitFormBoundary string and attack pattern, and assessed the campaign as a spearphishing threat to Korea policy and North Korea-related communities.