AhnLab reported continued Kimsuky distribution of malicious Word documents themed around North Korea-related work, including resume, interim-report, advisory-request, and webinar lures. In one flow, the attacker impersonated a domestic organization and only sent an external download link after the recipient replied positively to the initial email, leading through a credential-harvesting URL and likely document download path. The documents used Korean macro-enable decoy images and VBA macros that created a version.ini script or copied mshta.exe to gtfmon.exe, then attempted to contact asssambly.mywebcommunity[.]org or freunkown1.sportsontheweb[.]net. AhnLab warns that the activity reflects persistent Kimsuky use of socially engineered Word documents and external links against users handling DPRK-related topics.