ESRC attributes a malicious file masquerading as a 2021 Ministry of Foreign Affairs overseas-mission service survey/news document to the North Korea-backed Thallium group. The JSE-based package dropped a decoy PDF plus encoded files under C:\ProgramData\ and installed a 64-bit DLL disguised as ESTsoft update software under C:\ProgramData\Software\ESTsoft\Common\. The DLL registered for autorun, exfiltrated infected-system information to texts.letterpaper.press, and provided remote-control capability. ESRC links the sample to the Blue Estimate campaign because its internal string-encryption method matches prior Thallium tooling.