NSHC ThreatRecon found COVID-19-themed APT activity across multiple regions, with the DPRK-relevant section describing SectorA05 and SectorA07 activity against organizations affiliated with South Korea's Ministry of Foreign Affairs. The attackers used Korean-language MS Word lures disguised as coronavirus guidelines, where embedded macros downloaded and executed PowerShell from attacker infrastructure. Related malicious documents used themes about North Korea's coronavirus situation and North Korean coronavirus-themed cyber activity, with some samples downloading additional macro code from attacker servers. The report also noted a Python script payload intended to replace the default MS Word template on macOS, indicating targeting of both Windows and Mac users.