360 attributed multiple first-half 2022 BabyShark component attacks to the Kimsuky organization and linked the malware family to espionage against nuclear security, Korean Peninsula security and cryptocurrency-related targets. The described chain uses malicious DLLs to release VBS scripts, request OneDrive API and 1drv.com URLs, decrypt returned data and upload collected user information to ielsems[.]com for target validation. One related component retrieves desktop.tmp from worldinfocontact[.]club, stores execution logic in a registry value and creates a scheduled task that runs sys.vbs every 29 minutes. The report also identifies an iterative BabyShark DLL sharing export functions and PDB path overlap with earlier Kimsuky BabyShark samples, indicating continued tooling development and infrastructure variation.