ESRC describes a North Korea-linked attack in South Korea that disguised malware as a hospital or medical institution health-check certificate issuance program. The installer combined a legitimate hospital certificate plugin with an encrypted backdoor resource, allowing the normal installation screen and service flow to appear while a malicious module was installed in parallel. ESRC connects the activity to earlier attacks against a domestic broadcaster, North Korea-focused media, and a Japanese diplomatic-security think tank by comparing file similarity, function structure, the Freehunter account, KGH-related artifacts, and related C2 infrastructure. Reported infrastructure includes ms-work[.]com-info[.]store, ms-work[.]com-pass[.]online, and support-hosting[.]000webhostapp[.]com. The campaign shows continued abuse of trusted public-service themes and software bundling to reach South Korean users around the presidential election period.