A PowerShell script identified in the source as ESET PowerShell/Kimsuky.AX targeted a South Korean foreign-policy organization and collected host reconnaissance data before staging additional payloads. The script gathered running processes, OS version, public IP address, and installed antivirus product details, wrote them to a temporary file, uploaded the data to Dropbox through embedded OAuth credentials, and then deleted the local file. It attempted to download a Dropbox-hosted batch file to C:\Users\Public\Music\po.bat, rename the remote file after retrieval, and execute the batch silently through cmd.exe. The follow-on batch logic downloaded files from koreadiplomacyplaza.kro.kr, copied an executable, manifest, and PowerShell script into C:\Users\Public\Videos, and created a scheduled task named Transt_Feed_Synchronization-{0DDC1BD9-E733-425C-B92B-ABAC149AB11264} for persistence. The activity matters because it combines targeted South Korean political and foreign-policy victimology with cloud-based exfiltration, Korea-themed infrastructure, and scheduled-task persistence.