ESRC observed a North Korea-origin hacking attempt that impersonated an active police investigator and used a PDF-style civil servant ID lure. Unlike a 2017 police-impersonation attack against a Bitcoin exchange that attached a separate malicious file, this case hid a legitimate ID PDF inside a malicious EXE and swapped it in when the malware ran. ESRC found that web-server command patterns matched earlier lures impersonating the UN Human Rights Office report on North Korea and a Peaceful Unification Advisory Council consultation for North Korean defector advisers. Based on C2 infrastructure, PowerShell code similarity, and IOCs, ESRC attributed the activity to a North Korean Reconnaissance General Bureau-linked group associated with the Smoke Screen APT campaign.