ESRC observed a February 2020 APT attack using a screensaver executable named like a Korean HWP resume form to trick victims into launching malware. The activity is linked by ESRC with high confidence to Kimsuky and is described as a continuation of the Operation Blue Estimate campaign, which previously used document-themed lures including event estimates, technical drawings, and indemnity letters. When opened, the malware drops payloads, deletes the original disguised executable, and displays a decoy HWP resume document to reduce suspicion. The payload chain includes an autorun DLL and a second DLL that connects to command-and-control, injects into Windows explorer.exe, downloads additional malware, uploads collected information, and waits for attacker commands. The variant differs from earlier Blue Estimate payloads in C2 and string handling, but shares code for collecting MAC address and serial information.