ESRC found multiple malicious files impersonating South Korea's Blue House security email and attributed them to Kimsuky's Blue Estimate campaign. The attack used a Windows Script File, bmail-security-check.wsf, containing Base64-encoded components that dropped bmail-security-check.exe and AutoUpdate.dll; the executable used a Blue House logo icon and displayed a fake security-mail message. AutoUpdate.dll hid under ProgramData\Software\Microsoft\Windows\Defender, exported dropper-regsvr32.dll functions, and attempted command-and-control communication to security-confirm.bmail-org[.]com/pages/log.php at 204.93.163[.]87. The report links the activity to continuing Kimsuky operations against South Korean government-themed targets and notes operational overlaps with Smoke Screen and Blue Estimate tradecraft.