ESRC reported another Kimsuky “Smoke Screen” campaign using malicious DOCX files disguised as South Korean National Assembly election and diplomacy-related documents. The documents referenced an external template at saemaeul.mireene[.]com in settings.xml.rels, displayed content-enable prompts, and contacted the same Mireene-hosted infrastructure to retrieve or execute malicious macro content. After execution, the malware created commands under a .NETFramework4.xml filename, registered persistence through a KMSAuto-themed scheduled task, and communicated with report.php and down.php endpoints for further attacker commands and information theft. The source says Kimsuky had been repeatedly targeting South Korean companies and institutions through this campaign in early 2020.