Genians attributes Operation Artemis to APT37 and describes spear-phishing that used malicious HWP/HWPX documents against people engaged with North Korea, human rights, abduction issues, interviews, seminars, and related policy topics. The attacker impersonated credible figures such as university professors and Korean TV writers, sometimes building trust through normal conversation before delivering an HWP lure disguised as an invitation, questionnaire, event guide, or interview request. Execution began when a victim clicked an embedded OLE object presented as a hyperlink, leading to creation of a malicious version.dll in %TEMP% and abuse of legitimate Sysinternals VolumeId utilities for DLL side-loading. The campaign combined HWP OLE abuse, legitimate-process masquerading, steganography-based RoKRAT deployment, and repeated lure evolution over several months, underscoring the continued use of HWP as a North Korea-linked attack surface in South Korean targeting.