ESRC ties Operation Blue Sky to a Korean-speaking Konni cluster after repeated malicious DOC variants reused the “BlueSky” author account and cryptocurrency-themed decoys. The documents urged macro execution, then contacted spoofed portal-like or 1apps-hosted C2 paths such as mail.naver-download.com, alabamaok0515.1apps.com, fighiting1013.org, and tgbabcrfv.1apps.com to retrieve staged scripts and payloads. The chain copied certutil.exe as ct.exe, decoded Base64 data into setup.cab, installed executables such as picture.exe or victory.exe, and set Run-key persistence. One stage attempted to download sp.exe and connect to an AMADEY panel at charley-online.com/back/2019/index.php, showing Konni’s Blue Sky activity incorporating a publicly available Russian botnet component.