SECUi observed a domestic APT case delivered through a ZIP archive named like a Korean military studies review package. The archive contained a normal HWP decoy and a malicious WinRAR self-extracting EXE disguised as an HWP-related review file, which displayed the decoy while launching embedded PowerShell. The first PowerShell stage downloaded additional script content from sampleblog365.com, and the second stage collected host information including ipconfig output and Recent-folder listings. The stolen data was uploaded to a GitHub repository path as thumb.db, and repository history showed filenames such as payment request and document-lure names, illustrating use of public developer infrastructure for exfiltration and staging.