Proofpoint observed DPRK-aligned TA406, also known as Opal Sleet, chaining CVE-2026-21509 and CVE-2026-21510 in March and April 2026 email campaigns. The campaigns used visa-processing and diplomatic-initiative lures with RTF attachments that triggered Microsoft Office RTF/OLE code execution through CVE-2026-21509. Embedded OLE objects contained LNK files that initiated WebDAV connections to retrieve secondary LNK files, then abused CVE-2026-21510 to bypass Windows Shell security controls and execute a DLL payload. Proofpoint notes that TA406's downstream payloads and post-exploitation behavior differed from Russia-linked TA422 activity using related vulnerabilities. The finding matters because it shows DPRK-aligned operators rapidly adopting newly disclosed Office and Windows flaws in targeted diplomatic-themed phishing chains.