ESRC observed new Konni activity in South Korea using a malicious Word document likely delivered by spear phishing and disguised with a Russian-language filename about Russia, North Korea, South Korea, trade, economic ties, and investment. When macros were enabled, embedded VBA combined ObjectPool TextBox data with commands to contact panda2019.eu5[.]org, copy certutil.exe as mx.exe, download Base64-encoded files, decode them, and execute batch scripts. The infection chain retrieved 32-bit and 64-bit payload components, built a CAB archive containing malicious DLLs, an INI file, and install.bat, then configured xclientsvc.dll as a Windows service under a COM+ System Application-looking service entry. ESRC linked the decoding routine, CAB packaging, UPX packing, custom Base64 character sets, and C2 style to previous Konni cases, while noting the group’s targeting of South Korean North Korea-related personnel and continued overlap questions with Kimsuky.