ESRC reported a 21 February 2019 spear-phishing attack using a malicious HWP document themed around the planned second U.S.–North Korea summit in Hanoi. The document contained a BIN0003.eps PostScript stream that exploited an HWP EPS vulnerability and embedded shellcode. The shellcode contacted itoassn.mireene.co.kr/shop/shop/mail/com/mun/down[.]php, retrieved encrypted data disguised as a PNG, and wrote ~emp.dll in a temporary folder to run further commands. ESRC linked the tradecraft to Operation Black Limousine and to shellcode patterns seen in earlier Korea-focused APT activity, including the KHNP intrusion cluster.