AhnLab ASEC reported a Kimsuky OneNote malware campaign disguised as reward-payment paperwork, extending the group’s recent use of CHM and LNK delivery formats. The OneNote lure appeared to contain a Korean HWP privacy-agreement document, but the clickable area hid a personal.vbs object that dropped and ran from a temporary path. The decoded script contacted hxxp://delps.scienceontheweb.net/ital/info/list.php?query=1 and used PowerShell to fetch a decoy personal.hwp from the same host, matching infrastructure and behavior previously seen in related Kimsuky document attacks. ASEC identified the OneNote hash aa756b20170aa0869d6f5d5b5f1b7c37 and VBS hash f2a0e92b80928830704a00c91df87644 as key indicators.