Hauri analyzed resume-themed malicious Hangul Word Processor documents used in Korean-targeted spear-phishing campaigns, noting similarities to activity publicly associated with groups such as BlueNoroff, APT37, ScarCruft, RedEyes, Group123, and Geumsong121. The documents executed embedded PostScript or exploited GhostScript-related vulnerabilities such as CVE-2013-4979 and CVE-2017-8291 to launch shellcode, inject binaries, or download additional payloads. The malware used layered decoding routines such as XOR and AES, RC4-based data decryption, IP/URL-style C2, fake TLS-like traffic, and commands for file deletion, library loading, execution, and information exfiltration. The article also examined how attackers built or modified resume lures by reusing real personal details, SNS/search data, photos, metadata, and fabricated career information.