ESRC reports a spear-phishing attack against South Korean personnel working on North Korea-related issues that impersonated an official from the Ministry of Unification settlement-support office. The lure email used cyber-safety guidance as pretext and pushed a malicious Word document, “210811_업무연락(사이버안전).doc,” that displayed a fake Office compatibility prompt to induce the victim to enable macros. Analysis found malicious macro code and use of a compromised South Korean exam-academy site as command-and-control infrastructure. ESRC links the activity to the Thallium “Smoke Screen” campaign and notes related DOC and PDF exploit activity targeting current and former South Korean officials, media figures, and North Korea-focused specialists.