Unit 42 documented FreeMilk, a limited spear-phishing campaign that used hijacked email conversations and tailored decoy documents to exploit CVE-2017-0199. Successful exploitation downloaded PoohMilk as a first-stage loader and Freenki as a second-stage downloader from compromised infrastructure such as old.jrchina[.]com. Freenki collected host data, MAC addresses, system details, and screenshots, then requested a secondary C2 and executed a decoded payload with the hard-coded argument “abai.” The campaign targeted organizations and individuals including a Middle East bank, European intellectual property firms, an international sporting organization, and people with indirect ties to a North East Asian country, while related activity used Hancom-themed phishing and a watering-hole attack against a defector-operated media site.