Genians analyzed a March-April 2025 AppleSeed campaign attributed in the source to Kimsuky, a North Korea-linked state-sponsored group targeting Korean Facebook, email, and Telegram users. The operators approached North Korea-related workers and activists with Korean-language lures about defector volunteer activities, then delivered password-protected EGG archives through Messenger, email links or attachments, and Telegram follow-up when phone numbers were available. The malware chain used an obfuscated JSE file to create a decoy PDF and a malicious DLL, decoded payload data with Microsoft.XMLDOM, PowerShell, and certutil, and loaded DLLs with regsvr32 using the parameter tgvyh!@#12. Follow-on components used VMProtect packing, HKCU Run persistence under TripServiceUpdate, DLL placement in AppData Roaming paths, system information collection, UAC and admin-right checks, mutex creation, RSA-protected RC4 encryption, ZIP packaging, and external transmission of collected data. The case matters because it shows Kimsuky adapting AppleSeed delivery to trusted social contacts and Korea-specific tooling while maintaining a detailed Windows persistence and collection workflow.