ESRC analyzed Operation EvilPlane, a document-based APT campaign using files containing South Korean users’ personal information and attributed the activity to the Konni organization linked to North Korea’s Reconnaissance General Bureau. The malicious DOCX used remote template injection to fetch a macro-enabled template from k22012.c1.biz/paypal.dotm, then downloaded an additional CAB payload from 5645780.c1.biz after the user enabled macros. The chain executed batch scripts, used wpnprv32/64.dll modules for UAC bypass, copied rdssvc.dll/rdssvc.dat into the Windows directory, and installed the payload as a service. The final rdssvc.dll communicated with 4895750.c1.biz for host-information upload and command control, matching Konni tradecraft ESRC said it had observed in earlier operations.