A phishing email sent to a South Korean energy-company domain delivered a RAR attachment containing a .NET executable disguised as an air cargo waybill. The executable was identified as a PureCrypter first-stage loader that contacted 158.247.250[.]251 for encrypted content, decrypted it with AES values, and loaded the next .NET stage in memory. The analyzed PureCrypter configuration supported persistence, anti-debugging, sandbox and VM checks, AMSI and ETW patching, Windows Defender exclusions, self-copying to %AppData%\temp.exe, and multiple injection modes. Its final payload was Formbook, injected through process hollowing with explorer.exe used for parent-process spoofing, while the Formbook analysis described dynamic API use, layered function decryption, anti-debugging, and Heaven's Gate behavior. The source notes that the C2 server showed similarities to other Kimsuky attack infrastructure, but the technical body centers on the PureCrypter-to-Formbook delivery chain and the South Korea-linked phishing lure.