ASEC observed an HWP attack that embedded a Flash vulnerability object for CVE-2018-15982, using a lure titled Unification Korea Forum participant honorarium profile form. The document was believed to download and run a Flash file from sjem.co.kr inside the HWP.EXE process, a likely evasion choice because exploitation occurred outside the browser. Shellcode launched cmd.exe, injected additional code, and attempted to download a binary from OneDrive; AhnLab telemetry later identified a HncUpdate.exe payload with information-stealing and remote-command functions. The malware collected user and file information, uploaded data to Korean-hosted infrastructure, and referenced Chinotto-related paths, mutex values and C2 URLs in its internal strings.