Kimsuky distributed malware disguised as installation files for South Korean public institutions, using a dropper signed with a valid domestic company certificate to unpack and execute the Endoor backdoor. The linked evidence connects the activity to Kimsuky tooling including Endoor and Nikidoor, with capabilities to collect infected-system information, receive attacker commands, download additional malware, and capture screenshots.