IGLOO profiles Kimsuky as a suspected North Korean group focused on domestic Korean targets for information collection and social disruption, citing the 2014 KHNP incident and continued use of social-engineering themes tied to Korean and North Korea-related issues. The analyzed 2020 samples show a shift from earlier HWP-heavy activity toward Windows executable droppers disguised as document files, including COVID-19-themed macro lures and PE files with document icons and deceptive extensions. The droppers open decoy documents while creating batch files, dropping malicious DLLs, injecting into explorer.exe, and using registry locations for persistence across reboot. The report’s CTI value is its mapping of Kimsuky TTPs against MITRE ATT&CK and its evidence that convincing document-themed lures remained central even as payload formats changed.