ASEC reported malicious HWP documents disguised as urgent COVID-19 response inquiries from Korean regional infection-control organizations, including Jeollanam-do and Incheon. Unlike common Office macro lures, these Hangul files embedded EPS content that used PowerShell to contact external URLs and download additional malware. The downloaded executable provided information-stealing and backdoor functions, sending collected system data to attacker-controlled C2 servers. AhnLab noted detection for both the HWP exploit and the Windows payload, and highlighted behavior-based detection for the malicious download and execution chain.