ASEC reported an APT attempt against a broadcasting-company journalist using a malicious Word document disguised as internal financial-work details. Opening the document caused Word to fetch an external DOTM macro from ms-work.com-info.store, which created knla.dat and executed its GetErrorModes export. The DLL contacted the same infrastructure to download and decode an additional in-memory payload, then collected browser account and cookie data from Chrome, Edge, and Firefox into a temporary file before uploading it back to the attacker server. AhnLab detected the document and components as Downloader/XML.Generic, Downloader/DOC.Generic, InfoStealer/Win.Agent, and Trojan/Win.Kimsuky.