360 Advanced Threat Research Institute reports suspected APT-C-55/Kimsuky testing malware that repurposes the commercial Web Browser Password Viewer tool to collect browser credentials. The captured sample differs from recent Hancom-themed Kimsuky payloads but still decrypts and decompresses a second stage with RC4 and zlib, injects it into svchost.exe, and checks for an AhnLab V3-related window identifier before hiding it. The malware gathers network, system, process, and file information under the user’s Roaming information directory, while the modified password-viewer component writes suspected browser-password output to aaweb.txt. The researchers note the sample appears incomplete because it lacks persistence and observed upload behavior, but they assess it shows Kimsuky continuing to test commercial-tool modifications for future South Korea-focused operations.