AhnLab reports targeted attacks using malicious PDF documents believed to be connected to a North Korea-related group, possibly Kimsuky or Thallium, while noting that imitation by another actor remains possible. The PDFs exploited CVE-2020-9715 in unpatched Adobe Acrobat to execute embedded JavaScript and launch fileless EXE payloads from memory; several lures used inter-Korean relations themes likely aimed at individuals or organizations working on those issues. The malware contacted atwebpages[.]com infrastructure to download additional files, and related DLL samples used XOR encoding, VMProtect, and the export name “FirstFunction.” AhnLab ties the activity to earlier Kimsuky/Thallium-like code style and C2 patterns, and provides hashes plus representative C2 domains for detection.