AhnLab reports that Kimsuky-linked malicious documents previously seen against security-sector personnel were also being distributed to broadcasting and general enterprise users. The lure documents, including files resembling KBS interview questions and an app-planning document, used template injection to download malicious Word macro templates from compromised Korean web infrastructure. When macros executed, a batch file used curl to fetch a decoy document and a VBS payload, then exfiltrated antivirus, download-folder, and host information while registering scheduled-task persistence. Representative infrastructure included gdtech[.]kr, ddim.co[.]kr, hydrotec.co[.]kr, and jooshineng[.]com paths, with AhnLab detections for DOC.External and DOC.Kimsuky downloaders.