A Korean-language malware analysis attributes a BAT-file spear-phishing sample to Kimsuky and says the lure appears aimed at a Korean broadcast production team working on North Korea-related programming. The script launches 32-bit PowerShell in a hidden window, reads elephant.dat from the temporary directory, converts it into a script block, and executes it. The follow-on code reads caption.dat, XOR-decodes it with the key "d", allocates executable memory through kernel32.dll APIs, and runs the decoded payload in a new thread. The source provides hashes for the BAT sample, including SHA-256 5306582c8a24508b594fed478d5abaa5544389c86ba507d8ebf98c5c7edde451, giving defenders concrete indicators for Kimsuky-linked script execution and memory-resident payload loading.