210603_MWS_상세분석보고서_제헌절_국제학술포럼.pdf (1 MB)

This Korean malware analysis covers a malicious document named as an International Constitution Day forum file that likely used phishing to reach a broad target set. Enabling content runs obfuscated macros that contact rukagu.mypressonline.com, fetch /le/yj.txt, and execute it with PowerShell. The script changes PowerShell execution policy, creates an AhnLab themed directory and persistence key, collects system information into a decoy HWP file, uploads it to C2, and attempts to download and decrypt a later payload. The authors tie the activity to a previously observed attack group based on script structure and shared C2 IP infrastructure.