Logpresso assesses that a late-October 2025 attack using a health-check notice lure was conducted by the North Korea-linked Kimsuky group. The intrusion relied on an archive containing a JSE file disguised as a PDF, which displayed a benign document while decoding embedded PE data and loading it through rundll32.exe in the background. The malware contacted its C2 every minute, waited for staged responses such as “live” and “ok,” collected account, host, privilege, systeminfo, and ipconfig data, and uploaded the results with AES-128 and Base64 encoding. A later channel could retrieve an encrypted PE payload, decrypt it with RC4, load an additional DLL, and call a “hello” export, while infrastructure listed in the excerpt includes load.samework.o-r.kr and related o-r.kr/r-e.kr domains.