ESRC reported malicious emails impersonating the Korea Internet Information Center (KRNIC) and using Internet address-policy notices to deliver password-protected Word documents with Korean-language customer-information lure names. The documents prompted users to enable macros, displayed decoy content or messages, and then downloaded 32-bit or 64-bit payloads from multiple naveicoip* domains before decoding and injecting the malware into a child word.exe process. The campaign expanded into Binance, cryptocurrency investment, police summons, emergency-support, login, quotation, and complaint-themed document names to increase user interaction. The source frames the activity as information-collection malware using Korean-language social-engineering themes and rapidly changing payload infrastructure.