Tencent’s 2020 analysis describes Hermit, a Tencent-named cluster linked through correlation to KONNI/SYSCON/SANNY activity, continuing operations against Korean Peninsula-related NGOs, government bodies, trade companies, and media. The group used malicious Office macro lures tied to COVID-19, the 2020 Tokyo Paralympics, North Korea policy, and North Korean COVID-19 themes, hiding macro behavior by changing font colors and urging users to enable macros. The dropped downloader selected 32- or 64-bit payloads, decrypted CAB packages, used certutil-style download/decryption logic and multiple UAC bypass methods, and installed `wprint.dll` as a service. The RAT used FTP C2, collected system and process information, uploaded encrypted files, and pulled numbered command files for shell execution, file transfer, and payload execution.