ESRC reports continued Thallium APT activity against South Korea-focused North Korea human-rights and defector-related targets. Recent malicious Word documents were created by the same account name, used a shared macro-lure image hash, and executed obfuscated PowerShell that contacted attacker-controlled web hosts such as atwebpages/myartsonline infrastructure to retrieve additional commands. The activity relied on Korean-language spear-phishing lures impersonating government or research contexts and showed recurring operator traces including Korean keyboard/font artifacts and the WebKitFormBoundarywhpFxMBe19cSjFnG string associated with earlier Thallium tooling. The report highlights a shift toward malicious DOC macro delivery and keylogger follow-on payloads rather than HWP exploit-heavy tradecraft.