ASEC reported targeted malicious Word documents using defense and policy-themed academic lures, including a document based on a real paper about defense reform and military force-structure modernization. The embedded macro matches earlier samples distributed as conference, payment-request, and policy-document lures, suggesting the same operator, and it downloads data from an encoded C2 URL before writing and executing %APPDATA%\desktop.ini through wscript. The source lists related C2 endpoints such as n4028chu.mywebcommunity.org/d.php, 0knw2300.mypressonline[.]com/d.php, and hanjutour.atwebpages[.]com/d.php. ASEC notes related reporting that suspected a Kimsuky/Thallium or other North Korea-linked group, while also allowing for the possibility of imitation.