IssueMakersLab reported malware attributed as likely North Korean that used a Korean Word Processor document tied to inter-Korean economic cooperation as the lure. The infection chain used an HWP PostScript vulnerability, shellcode in BIN0002.ps, and an AES-encrypted payload hidden inside a BMP image after the marker string "F0und3g9." The shellcode injected into hwp.exe, searched memory for the embedded marker, decrypted the malware, and executed it by injecting into explorer.exe. The malware collected IP address, computer name, username, locale, Windows version, and CPU information, then communicated with XOR-encoded C2 URLs including pyeonta.com, doosungsys.com, sdajunghwa.com, patentmall.net, and orentcar.com paths. The case matters because HWP is widely used in South Korean public institutions and businesses, making document vulnerabilities a practical delivery route for Korea-focused intrusions.