ESRC reported a Thallium/Kimsuky-attributed campaign using a malicious DOC disguised as a survey about the incoming Biden administration and U.S. foreign and security policy. The document displayed a fake Office update prompt to induce macro enablement; once allowed, the macro collected antivirus information, contacted majar.medianewsonline[.]com, and attempted information theft and additional malware download. The source also links related spear-phishing against North Korea-focused experts to a spoofed Korea Institute for National Unification sender and a phishing server at naver.servehttp[.]com that harvested email passwords before showing a legitimate PDF. The report frames the activity as continued North Korea-linked targeting of journalists, professors, and current or former political, diplomatic, security, unification, and defense officials.