AhnLab observed an active wave of malicious Hangul Word Processor documents targeting defense, North Korea-related, and broadcasting personnel. The documents abused HWP's OLE object-linking feature to drop and run BAT scripts after user clicks, then launched PowerShell that decoded shellcode and injected it into the legitimate Windows help.exe process. Filenames and lures included defense conference material, North Korea COVID-19 analysis, applications, resumes, and education-related documents distributed through PC messengers and web browser downloads. Code similarities and reused PowerShell variable names matched an earlier malicious HWP case, and the excerpt labels the malware family as Infostealer/PS.Kimsuky with multiple MD5 indicators. The activity matters because it shows attackers shifting from patched PostScript/EPS exploit paths to user-assisted OLE execution that can still affect updated Hancom Office environments.