NSFOCUS profiles Kimsuky, also known as Thallium, CloudDragon, Velvet Chollima, and BabyShark, as a North Korea-linked APT active since at least 2012–2013 and primarily focused on South Korean government, military, think-tank, academic, media, human-rights, and North Korea policy targets. The report traces Kimsuky incidents from early spear-phishing against South Korean institutions through the KHNP leak and later activity against U.S., Japanese, Russian, European, cryptocurrency, defense, and vaccine-related targets. It emphasizes phishing login pages, malicious Office/HWP attachments, disguised executables, malicious Chrome extensions, and web exploit delivery such as CVE-2018-8174. The lure set repeatedly uses peninsula geopolitics, inter-Korean and U.S.-DPRK policy themes, conference invitations, questionnaires, cryptocurrency prize notices, and internal-looking defense or manufacturing documents to steal credentials or deploy follow-on malware.