ESRC attributed Operation Spy Cloud to the Geumseong121 APT group after observing spear-phishing emails that lured South Korean targets with fake evidence of North Korean defection. The emails linked to downloadable archives containing a malicious Word document whose obfuscated VBA macro and shellcode contacted Google Drive as C2, retrieved an XOR-encrypted invoice.sca payload, and used pCloud to exfiltrate system information. The report ties the activity to prior Geumseong121 operations through reused cloud accounts, email artifacts such as [email protected], overlapping HWP PostScript techniques, and the same final payload seen in Operation Printing Paper.