360 reports a suspected Kimsuky operation aimed at South Korean military or defense-related targets, using a PE sample disguised with a Microsoft-style icon and a Korean HWP procurement-plan lure. The first-stage malware displayed the decoy document, created a version-like mutex, invoked mshta.exe against vpn.atooi.ga, and then self-deleted with a BAT script. Related DLL samples used similar mutex naming, decrypted embedded shellcode, and injected it into rundll32.exe, where the shellcode attempted to contact 27.102.127.240 for additional code. The analysis links the backdoor's string/API decryption approach to historical Kimsuky tooling while retaining cautious attribution as suspected Kimsuky activity.