ESRC reports that Kimsuky reused COVID-19 themes in a Smoke Screen-linked spear-phishing campaign distributing a Word document named “COVID-19 and North Korea.docx.” When macros are enabled, the document contacts attacker-controlled C2 and uses PowerShell-style logic and the Kimsuky-associated multipart boundary string 7e222d1d50232 to upload collected data. The campaign is notable for targeting macOS users of Microsoft Office: downloaded Python scripts collect system, user, hardware, network and file-list information, compress Office-related data into backup.zip for exfiltration, and attempt to replace the user’s normal.dotm template before fetching additional malware.