KISA's Operation Bookcodes presentation describes a campaign that began in April 2019 against South Korean maritime, media, and security software targets. The attackers used malicious HWP documents and phishing links to install remote control malware, then downloaded droppers and registered launchers for persistence. The transcript also describes C2 infrastructure, target IP checks before payload delivery, encrypted server address files, and follow-on malware used to collect host data and maintain control.