ASEC reported a malicious HWP file disguised as a 2021 Peace and Unification Story Contest application from a local-government-themed document. When opened, the document dropped an embedded PE file as HncApp.exe under the user’s temp directory and used a transparent OLE object with a hyperlink so a click anywhere in the document could execute it. The payload copied itself for persistence via the HKCU Run key, then used PowerShell to contact price365.co.kr and repeatedly retrieve commands. AhnLab noted that the C2 domain had been associated with the RedEyes APT group and that the malware could perform information theft, screenshots and other remote actions.