ESRC links the activity to Kimsuky and its Operation Stealth Power / Campaign Smoke Screen cluster, describing spear-phishing against people working on North Korea-related issues and related South Korea-U.S. policy themes. The attacker used encrypted malicious HWP documents themed around Korea-U.S. summit remarks and other peninsula issues, exploiting document content to contact C2 infrastructure and load HTA/VBScript stages. The chain ran PowerShell-based keylogging and reconnaissance, registered persistence, and exfiltrated victim data through paths such as first.hta, expres.php, upload.php, and keylogger1.ps1 on compromised web servers. The report also connects Korean HWP activity with overseas malicious DOC variants such as TaskForceReport.doc and BabyShark-linked infrastructure, noting shared script structure, account artifacts, upload paths, and keylogger functions.