Talos analyzes a Korean HWP malicious document themed around analysis of North Korea's 2017 New Year address and apparently impersonating South Korea's Ministry of Unification. The document embedded OLE objects that dropped PE files when users clicked linked decoy documents, then executed wscript.exe, injected shellcode, unpacked a second-stage PE, and collected host details such as execution path, BIOS model, and a generated system ID. The loader contacted compromised Korean government or other websites, including kgls.or.kr, to post reconnaissance data and retrieve a final payload masquerading as a JPG file, though the final payload was unavailable during analysis. Talos assesses the activity as a targeted attack against South Korean public-sector users by a sophisticated actor using native Korean-language lures, short-lived infrastructure, and a regional file format that many defenses may not inspect well.