Igloo analyzed Korean Hangul word processor document malware collected in 2019, emphasizing attacks against domestic Korean users through spearphishing documents that can appear normal while executing hidden payloads. The technical sections describe PostScript and Ghostscript abuse, including CVE-2017-8291, XOR-obfuscated shellcode, VBE startup persistence, C2 contact, additional malware downloads, and process injection. Final payload behavior is described as information theft, keylogging, RAT, and backdoor activity, often without visible symptoms to the user. The report notes that CVE-2017-8291 has been known in recent APT37 and APT38 activity, making continued exploitation of patched Hangul vulnerabilities relevant for DPRK-focused tracking and Korean enterprise defense.