ESRC identified a new Smoke Screen APT spear-phishing attack using a malicious Word document named as a letter from U.S. Deputy Secretary Biegun and assessed it as the same Kimsuky-linked activity seen in earlier lures. The document reuses a macro-enable lure design and similar VBA macro code from a prior coronavirus-themed document, with both attacks using Mireene-hosted C2 paths. If a user enables content, the macro launches mshta to retrieve search.hta from the attacker-controlled server, which then calls additional files. The follow-on code collects and exfiltrates host information, downloads additional files, and includes keylogging spyware behavior, with the multipart boundary value 7e222d1d50232 noted as previously observed in Kimsuky code.