AhnLab reported a malicious HWP file tied to the Konni cluster and the Operation MoneyHolic activity set. The lure was presented as a legal response document for a private hospital lawsuit and contained a malicious PostScript object. Shellcode analysis led AhnLab to assess that the file was distributed by Konni or an Operation MoneyHolic-related actor. The report provides a file hash and execution-flow context useful for detecting HWP/PostScript delivery chains associated with Korean-language APT activity.