Google TAG reported that North Korean government-backed APT37 exploited CVE-2022-41128, an Internet Explorer JScript zero-day, through malicious Office documents targeting users in South Korea. The campaign used an Itaewon tragedy-themed document that fetched a remote RTF template and attacker-controlled HTML, allowing Office to render the exploit through IE even when IE was not the default browser. TAG observed server-side cookie checks, shellcode that cleared IE cache and history, and a follow-on download stage, and it linked similar documents to the same activity. Representative indicators included hashes for the exploit documents and infrastructure such as word-template.net, openxmlformat.org, ms-office.services, and template-openxml.com.