ASEC warned that HWP malware using Encapsulated PostScript objects had increased in April 2020, including lures impersonating COVID-19 infection-control organizations and Korea Hydro & Nuclear Power recruitment notices. The attacker inserted malicious EPS content into otherwise normal-looking Hangul documents and simplified the PostScript syntax so that CVE-2017-8291 exploitation and shellcode execution were hidden inside hexadecimal data executed with cvx and exec. The payloads downloaded files from external servers, saved them under image-like names such as skype.jpg or photo.jpg, and executed them with regsvr32 or saved another download as svchost.exe for execution. The report emphasizes that the simplified PostScript pattern made detection harder and required behavioral and exploit-focused detection rather than relying only on visible document content.