Kimsuky used trojanized security or software installers masquerading as legitimate Korean software packages, including TrustPKI and NX_PRNMAN, to deploy Troll Stealer/TrollAgent and related backdoor malware. The installers executed normal setup files as decoys while running Go-based, VMProtect-protected malware to collect host information, steal data, and receive external commands, with samples signed using a valid D2innovation Co.,LTD certificate.