ESRC analyzed a May 2018 targeted APT case using an HWP lure themed around the end-of-war declaration and the Panmunjom inter-Korean summit, with overlaps to Kimsuky and Geumseong121 activity. The malicious HWP contained repeated shellcode streams that decoded in memory, loaded a malicious module through notepad.exe, dropped core.dll in the temporary folder, and registered fontchk.jse in the Startup folder for execution by wscript.exe. The script contacted Google Drive URLs to download brid.mki and 7za.exe into ProgramData, used the password 201805 to extract the encrypted archive, and loaded brid.ige as a DLL payload. The campaign also used a Netherlands-based host for second-stage command activity and stored additional encrypted modules such as boot and query, while earlier related variants also used Google Drive C2 and core-named downloads. The report is significant because it shows Korean political summit-themed spear-phishing tied to a continuing state-sponsored intrusion set and documents specific persistence, staging, and C2 tradecraft.