ESRC described Operation Fake Capsule as a January 2019 government-backed APT variant that reused the double-extension document-disguise technique seen in Operation Cobra Venom, but delivered an SCR file masquerading as an HWP research document. The dropper contained Korean-language resources, created a decoy HWP document about China-related reading and travel, and embedded the C2 host safe-naver-mail.pe.hu in a separate resource. Its payload was designed to imitate ALYac security software paths and filenames, create a temporary self-deletion batch file, and use an Est folder on the C2 server for uploading collected information and receiving download commands. Code similarities with Cobra Venom, including multipart form-data handling, and the Sunday-to-Monday timing noted by ESRC make the activity relevant to tracking South Korea-focused APT tradecraft and security-product impersonation.