Kimsuky targeted South Korean entities during a period of U.S.-South Korea military exercises, using PIF, HWP, DOC and macro-enabled lure files to deliver malware. The activity used PIF executables disguised with PDF icons, Korean DRM-encrypted decoy documents, custom string decryption, XOR/AES/RC4 routines, scheduled tasks and registry Run keys for execution and persistence. Payloads included PebbleDash, AppleSeed-linked tradecraft, VBS downloaders, PowerShell-based host reconnaissance, and a lightweight backdoor loaded through regsvr32 that communicated with C2 infrastructure over HTTP. Reported infrastructure included uppgrede.scienceontheweb.net, office.pushitlive.net, qwert.mine.bz and related URLs, with observed capabilities for host information collection, command execution and result exfiltration. The campaign matters because it shows Kimsuky reusing stolen Korean documents as lures while combining multiple malware families and flexible delivery chains against South Korea-focused targets.