ESTsecurity ESRC identified a North Korea-linked HWP document attack disguised as a survey for North Korean defector advisory committee members. The lure abused current news about anti-North Korea leaflet launches and displayed a fake HWP version message to persuade the user to click. Once opened, embedded OLE content executed a batch file and PowerShell commands that attempted communication with a domestic Korean server. The activity used task scheduler conditions to hide C2 communication and impersonated ESTsoft-related software, with overlaps to an earlier phishing case impersonating the UN Human Rights Office. ESRC assessed the HWP technique and command tactics as consistent with previous North Korea-linked cyber operations and shared threat intelligence with KISA and other authorities.