ESRC reported an October Thallium/Kimsuky HWP attack that used apparent North Korean internal-news content and a separate Korea Foreign Affairs Association lure to entice users into opening malicious documents. The HWP chain displayed compatibility prompts and security warnings, then dropped a shortcut plus qwer1234.txt and qwer1234.tmp under the user temp directory; the command copied qwer1234.txt to a OneDrive version.dll path, renamed the temp file to a PDF, opened it as decoy content, and killed hwp.exe. The dropped PE attempted to download and execute additional payloads from Google Drive and OneDrive URLs, though the links were no longer reachable during analysis. A leftover build path referencing “spy\hwp” and detections such as Exploit.HWP.Agent and Trojan.Agent.99328C supported the assessment of document-based Thallium activity.