ESRC links the Konni campaign to lure documents that historically used North Korea-related themes and, in late 2018, also impersonated policy material and cryptocurrency wallet-related documents. The documented infection chain uses malicious Word macros that fetch Base64-encoded text files, decode a CAB payload with certutil, run install.bat, and persist Word.exe via the HKCU Run key as svchost. Word.exe decodes winnet.ini and connects to 103.249.31.159:7777, checks for the fxftest string, and can receive additional commands, including installation of remote-control malware such as TeamViewer-like modules. The report notes overlap with techniques seen in Kimsuky activity and raises false-flag considerations, while listing artifacts such as filer2.1apps.com, Word.exe, winnet.ini, ADONIS account traces, and multiple PDB paths useful for tracking related Konni variants.