ESRC described activity by a presumed state-sponsored attacker that moved from Korean cryptocurrency-exchange targeting to broader overseas attacks using malicious Microsoft Word documents. A January 2018 DOC file found in Vietnam used social engineering around a cryptocurrency and blockchain job description, then executed macro code that XOR-decoded and launched an embedded EXE. The dropped lsm.exe communicated with a Korean command-and-control host, worker.co.kr at 210.122.7.129, and the malware code matched earlier HWP exploit activity against a Korean cryptocurrency exchange. ESRC noted shared code patterns with past operations, including references to the 3.20 attack organization, Sony Pictures-related code reuse, and older Kimsuky-family samples using the Core.dll naming pattern. The excerpt supports tracking because it ties cryptocurrency-sector lures, HWP and DOC delivery, obfuscated payloads, and Korean-hosted C2 infrastructure across related campaigns.