ESRC reported Operation Coin Plan, a Konni campaign with strong Kimsuky links that used a malicious HWP document named as a marketing plan for cryptocurrency mining. The HWP file embedded BIN0001.PS PostScript, decoded shellcode with a 16-byte XOR key, and attempted to contact attacker-controlled C2 if the exploit succeeded. The lure content centered on cryptocurrency mining, aligning with the group’s recent use of coin-related themes. The report is relevant for defenders tracking HWP exploit chains, Konni/Kimsuky overlap, and crypto-themed spear-phishing operations.