ESRC reported that Kimsuky-linked activity against South Korean targets was still active in 2018 and had evolved from earlier public reporting. The attacks primarily used spear-phishing with malicious HWP documents themed around North Korea and inter-Korean social or cultural cooperation, with repeated metadata such as the author value “mofa” and matching shellcode across samples. The shellcode checked the string “JOYBERTM,” decoded an embedded payload, and used process hollowing to run malicious code inside userinit.exe before contacting attacker-controlled hosting such as maii-daum-net.atwebpages.com. The report also tied related variants to earlier Korean targets through shared HTTP multipart parameters, C2 domains that imitated Korean services, and the GHOST419 keyword used to retrieve XOR-encrypted follow-on malware.