ESTsecurity ESRC attributes a spear-phishing campaign impersonating the Korea Telecommunications Operators Association to Thallium/Kimsuky, a DPRK-linked APT focused on South Korean government and major institutions. The lure email claimed to request a UNMS user-status inspection and delivered a compressed Excel workbook that encouraged victims to enable Office content. Hidden sheets stored obfuscated commands and C2 information that decoded into a regsvr32/scrobj.dll execution chain contacting an attacker-controlled FTP URL at kamika2e[.]com. ESRC notes the document had been seen earlier in the year with only the internal C2 address changed, indicating reuse and continued refinement of Thallium phishing tradecraft.