AhnLab analyzed 135 malicious Hangul Word Processor documents collected from September 2016 through December 2017 and found that North Korea-related workers and cryptocurrency-related workers were major targets. The DPRK-relevant activity includes Group A, identified as Red Eyes/Group 123/ScarCruft/APT37/Reaper/Ricochet Chollima, which targeted defectors, North Korean human rights activists, researchers, journalists, and some military-themed cases. Attackers used email lures, links to malicious files, HWP files masquerading as other objects, EPS exploitation including CVE-2015-2545, JavaScript, vulnerability abuse, and embedded objects; EPS accounted for the largest share of observed HWP attacks. The report notes downloader and backdoor payloads, a shift toward memory-only execution after September 2016, PDB strings and Korean-language artefacts in Group A samples, and a destructive HWP case that wiped disk contents and displayed an "Are you Happy?" message. A separate Group C case used an embedded object to run a downloader that fetched additional content from endlesspaws.com while displaying a decoy North Korean human-rights document, making the HWP tradecraft relevant for defenders monitoring Korea-focused targeting.