ESRC identified a January 2019 Operation Rocket Man variant that shifted from earlier HWP exploit delivery to a malicious XLS file themed around red ginseng pricing for South Korea’s Lunar New Year season. The document lured users into enabling content with Korean wording described as closer to North Korean usage, then used external-link and PowerShell commands to download aqq.exe from a compromised South Korean medical website. The payload impersonated a Korean portal security product icon, contacted wooridz[.]com paths for U.conf, U3.conf, U4.conf, and defaults.conf, and reused Rocket-related code artifacts and .NET components associated with earlier Rocket Man activity. The malware also used PubNub-based C2 and supported destructive commands that could delete files, remove volumes, or damage MBR areas if run with administrator privileges, raising the impact from espionage-focused intrusion to potential wiper activity.