SECUINSIDE analyzed malicious HWP documents that abused embedded OLE objects rather than patched HWP vulnerabilities to trigger execution through user clicks. The campaign used spear-phishing emails aimed at people connected to North Korea-related topics, with lures such as TV appearance requests and opinion requests. Dropped BAT files launched encoded PowerShell, killed the HWP process, read shellcode from the end of the document, injected it into a new help.exe process, restored a decoy document, and deleted staging files. Two shellcode types were described: one downloaded a script via mshta, while another added C2 encoding, API hashing, and an additional encoded shellcode stage. The final PowerShell payload registered scheduled execution under EstSoft\Alap\Report and communicated with hanainternational[.]net to receive commands, execute them through cmd, exfiltrate results, and collect system information.