The Korean analysis attributes a malicious VBS backdoor sample named vbs.html to Kimsuky and says it was distributed from hxxp://mrasis(.)n-e(.)kr. The sample is heavily obfuscated, uses random variable names, suppresses errors, decodes hexadecimal strings into executable VBScript, and runs the decoded content through Execute. The decoded logic creates Microsoft XMLHTTP or MSXML2 ServerXMLHTTP objects, sends HTTP POST requests to the same domain, and executes the server response, giving it remote command execution and backdoor behavior. The report identifies mrasis(.)n-e(.)kr as command-and-control infrastructure and provides MD5, SHA-1, and SHA-256 hashes for the sample to support detection and hunting.