ESRC links Operation Baby Coin to a suspected state-sponsored group targeting Korean individuals with spear-phishing emails carrying a malicious RTF/DOC file named “Coin Information.” The document abused CVE-2017-11882 through the Microsoft Equation Editor component, contacted a hardcoded Stage 1 C2 server, downloaded 2.dll, and then retrieved an encrypted update.ca payload from a Stage 2 C2 server. The malware chain created winword.tmp and update.tmp under the user’s Roaming profile, selected 32-bit or 64-bit payloads, established startup persistence through shortcut names resembling Adobe or security components, and collected browser, email, file, clipboard, drive, and system data. The report highlights false-flag artifacts such as Chinese-looking document metadata alongside Korean code-page and resource evidence, and it ties the 2018 tooling to older PDF exploit activity through shared multipart upload strings, Korean resources, encoding signatures, rundll32 execution patterns, and PDB paths.