Kimsuky activity targeted the Russian Ministry of Foreign Affairs through email, using what ESRC assessed as a previously stolen Russian consulate account in Shenyang to attack the Russian consulate in Japan. The lure impersonated an embassy accounting department and claimed to provide embassy information for a money transfer. The attached PowerPoint content included a file about Pyongyang-Moscow talks on Donbass, while the malicious component used a PowerPoint Add-In format with VBA rather than a standard macro-disabled .ppt or .pptx file. The macro contained a VBS file registered with Task Scheduler to run every five minutes and wait for commands from a C2 server. The report highlights hxxp://gg1593.c1.biz/dn.php and MD5 DAE0EFD29230FEAB95F46EE20030A425 as indicators for this campaign.