ESTsecurity observed Konni APT spear-phishing documents disguised as North Korea Central Committee plenary meeting material and Tokyo Paralympics-related content. The malicious documents used social or geopolitical lures, Korean code page characteristics, a shared final author value, and macros that executed after the user enabled active content. The macro dropped df.txt, renamed it to gb.exe, downloaded architecture-specific payload data, decoded a custom Base64 CAB payload, and installed xclientsvvc.dll through the COM+ System Application service. The installed component downloaded FTP credentials, uploaded systeminfo and tasklist output to attacker-controlled FTP infrastructure, and could receive additional commands or CAB payloads for follow-on remote control. The report also notes suspected operational links or overlap between Konni and Kimsuky based on ESTsecurity tracking.