ESRC observed Kimsuky activity using a malicious Microsoft Word document themed around North Korean defector information, with the lure containing an English-language defector interview and prompting the user to enable content. The document used VBA macros with encoded strings, anti-VM checks, and embedded hex-encoded binary data that was XOR-decoded into a 32-bit UPX-packed winload.exe payload. The payload carried an EGIS Co., Ltd. digital signature previously reported in Kimsuky activity, Korean-language resource settings, encoded API strings, anti-VM behavior, and a decoded C2 value of wave.posadadesantiago[.]com. ESRC noted that the macro technique resembled methods previously used by Lazarus, which could reflect tool sharing or a deliberate false-flag attempt, and said multiple APT groups including Lazarus, Kimsuky, Geumseong121, and Konni were actively targeting South Korea, security-sector personnel, North Korea-related defectors, and journalists.