IGLOO analyzes document-based malware activity linked in the source to North Korean attack groups active in the first half of 2022, including Kimsuky and Lazarus. The activity used spear-phishing themes such as defector-related surveys, disaster donation receipts, cryptocurrency topics, and press-release lures to target Korean public and private-sector audiences. HWP samples hid shellcode in OLE objects, used zlib-encoded data, launched batch and PowerShell logic, terminated HWP processes, and displayed decoy documents to mask execution. DOC samples abused macros or Office exploit paths to download payloads, run backdoors packed with Themida, collect host and user information, inject code into WinWord or explorer.exe, and abuse Windows Update components and GitHub storage for execution or communications. The repeated use of spear-phishing, OLE or macro execution, DLL-based payloads, Base64 obfuscation, and living-off-the-land Windows processes shows a mature document-malware tradecraft pattern relevant to Korean targets and cryptocurrency-related theft.