ASEC observed malware disguised as cryptocurrency exchange and investment material, with User-Agent artifacts leading it to assess Kimsuky involvement. The campaign used SFX executables with Word/PDF icons to open decoy asset-management or coin-exchange documents while invoking mshta.exe against partner24.kr script paths. A related macro Word document copied wscript.exe to AppData as word.exe, downloaded Base64-encoded script content from partner24.kr/mokozy/hope/kk.php, wrote it as set.sl, and launched it with VBScript. Although the final payload was unavailable during analysis, the delivery chain could support information theft or additional malware download; ASEC listed partner24.kr URLs and MD5 hashes as indicators.