AhnLab observed a malicious HWP lure titled “North Korea’s Gray-Zone Strategy and Countermeasures” that used an embedded EPS exploit for CVE-2017-8291. The EPS runs via gbb.exe, executes shellcode, and injects into HimTray.exe or HncCommTCP.exe, falling back to cmd.exe before launching userinit.exe and injecting the final payload. The malware performs anti-VM checks, creates a temporary batch file to collect host and user data into an AppData\Roaming\Microsoft\Network path, and uploads the collected information to C2. The source notes a further zyx.dll download routine, but the payload was unavailable at analysis time, and AhnLab detects the internal PE as Trojan/Win32.Susnokoma.