ASEC observed malicious OOXML Word documents distributed through channels such as KakaoTalk group chats, with filenames themed around North Korea, China, surveys, and diplomatic security specialists. The documents used template injection to fetch external content from domains carefully disguised as legitimate Microsoft Office or OpenXML infrastructure. Reported infrastructure included lookalike domains such as openxmlformat[.]org, ms-office[.]services, ms-offices[.]com, and offices.word-template[.]net. AhnLab detections included Downloader/DOC.External, Downloader/DOC.Kimsuky, and Downloader/XML.Generic, supporting DPRK-focused tracking of document-based phishing against Korean policy and security communities.