AhnLab ASEC observed phishing emails using North Korea-related broadcasting recruitment content to lure recipients into opening a compressed attachment containing a malicious VBS file disguised as a 2022 resume form. The script collects process, routing table, Program Files, and Program Files (x86) information, Base64-encodes the data, and sends it with the username to fserverone.webcindario[.]com/contri/sqlite/msgbugPlog.php. It opens a decoy HWP resume form, executes PowerShell-delivered response data, creates %AppData%\mscornet.vbs, registers persistence through a scheduled task named Google Update Source Link, copies itself to the startup folder, and deletes the original VBS. A recorded March 26 response used PowerShell and certutil to decode and run mscornet.vbs, which contacted cmaildowninvoice.webcindario[.]com/contri/sqlite/msgbugGlog.php for attacker-controlled commands.