AhnLab analyzed a malicious Excel campaign whose court-judgment lure used macros to download and launch a second Excel document, then chained batch, VBS, and encoded CAB content from view-naver.com. The activity is described as sharing KONNI/Operation Moneyholic tradecraft, with the initial vector shifted from HWP to XLS. Once macros run, the malware stages mo1.bat, no1.bat, vbs.txt, mysec2.bat, and no42.bat to collect user information, upload it, register persistence through start2.vbs, and download additional payloads. Representative indicators include view-naver.com/xls paths, resulview.com, and hashes for the XLS and staged files.