ESRC attributed an April 2020 APT attack to the Konni group, using a Korean-language MS Word lure themed around COVID-19 mask demand. The document prompted users to enable content; its macro then downloaded additional files from attacker infrastructure and installed malware while showing mask-related decoy content to reduce suspicion. The source links the tooling and custom Base64-style evasion to previous Konni activity and notes that infected systems uploaded host information, running applications, tasks, and process data to an attacker-controlled FTP server. ESRC warned that Konni had repeatedly used socially relevant themes against South Korean targets, including earlier North Korea policy and Tokyo Paralympics-related lures.