AhnLab reports that Larva-24005, identified as a Kimsuky sub-group, compromised poorly secured Windows RDP hosts in South Korea and used them as phishing infrastructure. The actor installed RDPWrap, a custom keylogger, XAMPP, PHPMailer, and Japanese IME support, with some infrastructure linked to BlueKeep CVE-2019-0708 exploitation. Targeting focused on Japan-based North Korea researchers, university professors, and NGOs, using Zoom-themed emails and Microsoft-style credential phishing pages tied to attacker C2 servers.