ALYac analyzed a malicious HWP document judged to resemble previously reported Kimsuky-style activity targeting Korean organizations. The document abuses a Hancom Office vulnerability through hidden HWP sections with abnormally large paragraph text data, heap spraying, and shellcode execution that decrypts and drops an embedded PE file. The dropped malware creates temporary executables, persists through the Windows CurrentVersion\Windows load registry value, and repeatedly contacts http://www.kosianis.com/index.aspx. The payload is described as collecting user information and receiving commands from the suspected C2 server, making the lure document a likely email-borne espionage infection vector against enterprise and public-sector users.