Talos identified a malicious HWP document targeting Korean users with a decoy about the prospective U.S.-North Korea summit and assessed with medium confidence that the NavRAT campaign was linked to Group123. The infection chain used an embedded EPS object to execute shellcode, download an image-hosted payload from a compromised Korean website, and run the decoded executable in memory. NavRAT supported file upload, download, command execution, keylogging, process injection into Internet Explorer, and persistence by copying itself as GoogleUpdate.exe under a fake AhnLab-related path. Its C2 design abused the Naver email platform for operator communication, with attempted data delivery to a Daum address, making the campaign notable for using a South Korea-popular email service as command infrastructure.