ESTsecurity warned of a surge in Thallium-linked spear-phishing against South Korean diplomacy, security, unification and defense-policy experts. The attackers impersonated media outlets, policy institutes, academic societies and North Korea-policy forums, sending tailored emails that requested papers, seminar participation forms, honorarium documents or personal-information consent forms to lure victims into opening malicious attachments. The report notes a shift toward DOC-based attacks with fake English enable-content screens and malicious macros or remote template execution, including apparent imitation of TA551-style document templates. Observed C2 infrastructure included yezu212.myartsonline.com and quarez.atwebpages.com, and ALYac detected the malware as Trojan.Downloader.DOC.Gen.