Hauri reports continued abuse of malicious Hangul documents delivered by email to Korean users, with one case impersonating a Ministry of Foreign Affairs employee to increase trust. The infection chain uses a link to a malicious HWP document, embedded script execution, and follow-on script downloads from attacker-controlled web paths. The listed infrastructure includes multiple defanged HTTP URLs used for script retrieval, registration with MAC-address parameters, and additional download or query endpoints. The targeting appears focused rather than mass-distributed, aimed at recipients handling diplomacy-related work, creating risk of information theft or further malicious activity on compromised systems.