AhnLab attributed a spear-phishing attempt against a university professor to Kimsuky, using a malicious Word document disguised as manuscript requirements for a North Korea-related publication. The document contained macros that downloaded Visual Basic Script commands from an attacker server and executed them in memory. The VBS collected system details, operating system information, memory size, and file listings from Desktop, Documents, Favorites, Recent, Program Files, and Downloads paths. It also wrote a timestamped OfficeAppManifest file under the Microsoft Templates directory and registered a Microsoft-masquerading service for persistence and command polling. AhnLab detected the document as Downloader/DOC.Kimsuky and the downloaded script as Downloader/VBS.Agent.