AhnLab analyzed a malicious Hangul document chain that uses VBScript downloaders and OLE-linked execution to stage additional files under %APPDATA% and Windows theme paths. The initial scripts retrieve content from datkka.atwebpages[.]com, datarium.epizy[.]com, and a Naver Mail download link, then register a scheduled task to run every 30 minutes. The HWP lure drops HappyBirthday.vbs, which attempts to download and execute another script from driver.googledocs.cloudns[.]nz. The document author metadata references a South Korean peace education platform, and the report assesses the lure was likely crafted for a target connected to North Korea-related individuals, but it does not attribute the activity to a DPRK actor.