AhnLab describes malicious Excel and Word documents disguised as normal Korean business or event files, including card-company themed spreadsheets and forum-related documents that prompt users to enable macros. Once macros run, the samples fetch additional PowerShell or script payloads from infrastructure such as manstr.myartsonline.com, rukagu.mypressonline.com, and warms.atwebpages.com, then collect host information, download further components, and attempt persistence. Follow-on payloads include Alzip-themed artifacts and a pagefile.sys component that gathers system data, kills security-related processes, checks for VMware artifacts, and exfiltrates data by email. The source attributes the files to the same operator based on shared macro code and behavior, but does not make a DPRK attribution in the excerpt.