ESRC reported Operation Cobra Venom, a January 2019 spear-phishing campaign against about 77 reporters covering South Korea’s Ministry of Unification and related beats. The lure email used Korean text and a password-protected archive with benign PDF/HWP decoys plus an HWP-disguised executable that unpacked WSF scripts. Those scripts contacted Google Drive and my-homework.890m.com to retrieve and decode brave.rar into the 32-bit Freedom.dll payload, with 64-bit follow-on components named to imitate Korean security software such as AhnLabMon.dll. The malware beaconed system information with a Cobra_ prefix and segmented C2 paths, and ESRC linked the code layout, parameters, decoding routines, and ago2.co.kr infrastructure to earlier activity attributed to the same state-backed threat group.