Talos links six 2017-to-early-2018 campaigns to Group 123, with shared code and PDB artifacts tying activity such as Golden Time, Evil New Year, North Korean Human Rights, FreeMilk, and Are You Happy? together. Several campaigns targeted South Korean users through spear phishing and malicious Hancom HWP documents themed around reunification, North Korean human rights, and North Korean New Year topics. The infection chains used HWP and Microsoft Office exploits including CVE-2013-0808 and CVE-2017-0199, OLE objects, downloader stages, and compromised web servers to deliver ROKRAT or related malware such as Freenki and PoohMilk. ROKRAT variants used anti-analysis checks, cloud and social platforms including Twitter, Yandex, and MediaFire for command and exfiltration, while the Are You Happy? activity showed a destructive ROKRAT wiper module. The evidence matters because it shows a Korean-focused actor evolving from spear-phishing RAT delivery into multi-stage, cloud-backed, and destructive operations against South Korean interests.