ESRC reported a Konni-attributed campaign using a malicious Word document disguised as cryptocurrency partnership news about Coinone and KakaoBank. The lure reused a real September 2022 article and applied remote template injection to contact word2022.c1.biz and download a DOTM template containing macros. If the victim enabled content, the macro changed the hidden white body text to black while sending the infected PC's OS version, computer name, and IPv4/IPv6 information to the C2 server. ESRC linked the activity to the Konni organization behind North Korea's Reconnaissance General Bureau and warned defense, security, and related South Korean organizations during the US-ROK naval exercise period.