Appleseed v2.1 was delivered through a JavaScript loader disguised with a decoy document, double Base64-encoded payloads, and string-splitting obfuscation to evade detection. The loader drops an encoded Appleseed DLL under ProgramData, decodes it with certutil, and executes it through Regsvr32 before contacting C2 for additional scripts. Version 2.1 changes the malware’s string decryption from the older XOR-based routine to arithmetic operations over hex byte data and adds system information collection. The malware gathers host, antivirus, program, Recent, Desktop, Downloads, and Documents data, encrypts command output and files with ZIP, RC4, RSA, and XOR layers, and uses PDF-like headers before exfiltration. The report lists C2 domains including netra.atwebpages[.]com, update.hannarng.kro[.]kr, and update.modernmap.n-e[.]kr, with detection naming it Trojan.RAT.Kimsuky.Appleseed.