ASEC observed malicious HTML and LNK files impersonating a public organization and using honorarium themed HWP documents as lures for people in Korean reunification and national security fields. Running the LNK opens a legitimate HWP file while dropping obfuscated VBS or PowerShell components that change registry settings, collect user information, and fetch additional scripts. One chain downloads TutRAT and fileless payloads, then supports keylogging, browser credential theft, screenshots, and command execution. The source ties the activity to a previously observed actor through similar operation methods and C2 format, including 165.154.230[.]24:8020 and related Korean web paths.