ESRC reported two North Korea-linked APT operations attributed respectively to Thallium and Geumseong121: a Ministry of Unification-themed phishing email and a malicious HWP document posing as a Peace and Unification story contest application. The email used a forged first-page image and a fake PDF attachment link to collect the recipient’s email password, enabling account takeover and secondary phishing. The HWP lure abused Hangul Office OLE by placing a transparent object over the document so user interaction executed embedded malware, a technique that can work even without exploiting a software vulnerability. ESRC warned that these DPRK-linked groups were actively targeting South Korea and the United States, including pharmaceutical, cryptocurrency, science-and-technology, and North Korea-related communities.