ASEC reviewed malware samples associated with Kaspersky's Kimsuky operation and found that related variants had been observed as early as 2009, with renewed activity and multiple variants appearing from June 2013 through September 2013. The activity targeted South Korean government and public-sector organizations through spear-phishing emails carrying vulnerable Hangul Word Processor documents. The malicious HWP files exploited recurring record-level HWP vulnerabilities and dropped files such as core.dll and olethk64.dll on unpatched systems. Stolen data was sent to attacker-controlled free email accounts, and ASEC found additional XOR-encoded malware stored in a mailbox for likely future distribution. Some samples also modified Windows Registry settings in an attempt to disable AhnLab V3 personal firewall protections.