ESRC reports that the Kimsuky/Thallium group continued using Windows Script File (.wsf) delivery in a Blue Estimate campaign with COVID-19-themed lure content. The script drops a decoy HWP document and a Base64-encoded patch.dll under ProgramData\Software\Microsoft\Windows\AutoPatch, helping hide infection from the user. The DLL contacts org-help.com infrastructure, including chanel-love.org-help.com and IPs 92.249.44.201 and 213.190.6.57, and sends MAC address and OS information before awaiting attacker commands. The source frames the activity as an active Kimsuky APT pattern using topical lures and compressed WSF attachments or download links.