Kimsuky is tied to an attack using a malicious SCR file disguised as Korean machinery-research work-plan and completion documents. The sample reportedly carried a CJ OliveNetworks digital signature issued by Sectigo, which CJ OliveNetworks revoked after the abuse was identified. The excerpt lists hashes for the SCR and a downloaded payload, then describes config.dat code with heavy obfuscation, conditional memory manipulation, self-modifying behavior, dynamic function-pointer execution, and anti-debug or anti-emulation style control flow. Reported infrastructure includes a login.php URL on a Korean free-domain service resolving to 162.220.11.186, highlighting continued DPRK-linked abuse of trusted certificates, document lures, and evasive payload staging against South Korean targets.