The report describes malicious Word documents themed around North Korean COVID-19 conditions that used VBA macros to drop a secondary payload and connect infected systems to attacker command-and-control infrastructure. The payload was identified as Amadey, a commodity trojan used for credential theft and remote control, retrieved from compromised web infrastructure after macros were enabled. The author notes that similar Amadey use had previously been observed in suspected DPRK activity by IssueMakersLab, Tencent, and ESTsecurity, and that domains related to C2 server 186.122.150[.]107 had been sinkholed in Microsoft action against Thallium. The campaign is relevant to DPRK tracking because it combines North Korea-themed lures, COVID-19 intelligence interest, and commodity malware that complicates attribution while lowering operational cost.