ESRC reports a surge of Kimsuky/Thallium activity against South Korean public-sector, diplomacy, security, unification, and defense-related targets using Google Blogspot as part of the command infrastructure. The June 28 attack used a password-protected MS Word document disguised as an academic-conference participation form; enabling macros triggered malware that first contacted a domestic small-business website and then a Google Blogspot page controlled by the attackers. The malware created a disguised desktop.ini file, added an iexplore.exe.lnk startup shortcut for persistence, and collected host details including user name, OS and Office versions, running processes, recent documents, and desktop files. Collected data was sent to a domestic server path such as daewon3765.*.com/about/post/info.ph, illustrating the group's use of legitimate blog services and compromised Korean infrastructure to evade monitoring.