NSFOCUS attributed a targeted phishing activity to Kimsuky that used the malicious document TBS TV_Qs.doc and likely targeted military experts or commentators focused on Korean Peninsula issues. The lure contained interview questions on the Russia-Ukraine war, North Korean ballistic missile tests, inter-Korean affairs, China-South Korea relations, the new South Korean president, denuclearization, and pressure on North Korea. The infection chain used Office macros to fetch decoy content and antivirus-specific bypass components from dusieme[.]com, then downloaded secur32.dll as a KimAPosT variant for persistence and follow-on execution. The KimAPosT variant hid AhnLab alert windows, dropped and ran VBS code, and used a OneDrive API download flow for later-stage script delivery; by discovery time the final script reportedly only sent victim usernames to ielsems[.]com. The report matters for DPRK tracking because it documents Kimsuky adapting a tested toolchain with AV-aware branching and cloud-hosted payload delivery against policy and military research targets.