ESRC describes a Kimsuky-attributed APT attack that impersonated an ELYSIA token sale winner notification and targeted cryptocurrency users with a malicious HWP consent form. The document required the password “daybit” and contained an obfuscated EPS/PostScript component that decoded with an XOR 0xF0 routine before running shellcode and downloading additional payloads. The embedded payload reused strings seen in earlier Kimsuky activity and contacted smalldeal.mypressonline[.]com paths for posting and downloading data. A packed 32-bit DLL used a mutex to avoid duplicate execution, loaded another encoded payload from resources, attempted command-and-control through a Korean email service, and a later variant created an AhnLab-themed roaming directory while saving keystrokes to k001-style DAT files.