Qianxin attributes with medium confidence a set of spear-phishing attacks against South Korean targets to Kimsuky, noting the group's focus on defense, education, energy, government, healthcare, and think tanks. The campaign used HWP lure documents themed around North Korean defector advisory surveys, Korea Policy Broadcasting invitations, and North Korea COVID-19 analysis to induce user interaction and execute embedded OLE or EPS content. The execution chain dropped temporary files, ran PowerShell, injected MSF-generated shellcode into legitimate Windows processes such as help.exe or winhlp32.exe, and used fileless follow-on loading to reduce detection. One sample used mshta.exe and a scheduled task named EstSoft\Alcap\Report to periodically contact C2, parse returned commands, execute them via cmd.exe, and post results back. Reported indicators include MD5 hashes such as 905745E2A196D7F8D7C2F9547F5B9E67 and infrastructure including hanainternational.net and work3.b4a.app.