AhnLab ASEC analyzed a password-protected Word document named CNA[Q].doc, disguised as a Singapore CNA news survey and themed around North Korea-related content. The document relied on a malicious VBA macro that prompted the user to enable content, then dropped and executed tmp.pip from %APPDATA%. The script chain created Defender.log, DefenderUpdate.lba, and Ahnlab.lnk, contacted okihs.mypressonline[.]com for bb.txt and bb.down, collected host information, and downloaded additional scripts. ASEC noted an evolution from earlier variants: the bb.down script used FTP to exfiltrate browser credential material, including Chrome and Edge Local State keys and related browser data, while retaining LNK creation, Office security modification, and keylogging behavior.