SECUI STIC observed a North Korea-backed APT campaign targeting South Korean security and unification-related organizations with spearphishing emails carrying a password-protected Word document named as a profile form. When the victim enabled macros, the document ran Document_Open VBA code that launched PowerShell, contacted the C2 server, and downloaded an additional PowerShell script. The script collected file listings from Program Files paths and systeminfo output, saved the data under %APPDATA%\Ahnlab\Ahnlab.hwp, and could receive further commands for background execution. Communications with uekaf.myartsonline[.]com used XOR processing with a 160-byte key to obscure collected data and attacker commands, with related URLs and hashes provided as IOCs.