AhnLab reports that Kimsuky distributed a dropper disguised as a Korean public institution installer, signed with a valid domestic certificate, to deploy the Endoor backdoor. The dropper creates src.rar and unrar.exe, extracts the payload with the password 1q2w3e4r, and runs Endoor with an install argument so it copies itself to %USERPROFILE%\svchost.exe and registers a Windows Backup scheduled task. Follow-on activity included suspected Endoor updates, Mimikatz execution with sekurlsa::logonpasswords, screenshot theft, and use of Endoor and Nikidoor infrastructure including ngrok-free[.]app and minish.wiki[.]gd. The report links the activity to Kimsuky's continued use of signed malware, backdoors, and credential theft against Korean targets.