ESRC reported a North Korea-linked Geumseong121 campaign that used spear-phishing against a North Korean human-rights organization leader with a malicious DOC disguised as a column about recent North Korean political and security issues. The attacker allegedly compromised or abused an SNS relationship to build trust, then delivered the macro-enabled document by email; enabling macros exposed the victim to compromise. ESRC connected the malware to prior “Spy Cloud” activity through similar macro routines and artifacts such as Weapon and bluelight PDB paths, and noted the group’s broader use of cloud services, watering-hole attacks, and Android smishing to steal personal and device data.