ThreatBook analyzed a Konni APT campaign using a North Korea COVID-19 supplies article as a lure document, consistent with the group’s long-running spear-phishing against South Korea and regional targets. The malicious Word document hid its text until macros were enabled, then downloaded a loader from a compromised site and executed it from the Templates directory. The loader decrypted and injected an Amadey-family backdoor, established persistence under C:\ProgramData\a7963\TlWorker.exe, collected host and security-product information, and beaconed by HTTP POST to 186.122.150[.]107/cc/index.php for follow-on module delivery. The report also describes infrastructure and tradecraft overlaps with Kimsuky, including related C2 registration details and macro-based delivery patterns, while treating the relationship as a hypothesis requiring continued tracking.