AhnLab reports that the North Korea-linked Kimsuky group abused Chrome Remote Desktop to maintain GUI control of infected Windows systems after deploying its AppleSeed backdoor. The observed chain used WSF or JavaScript malware that decoded AppleSeed with PowerShell and regsvr32, then installed additional tooling including browser credential stealers, an x64 RDP Patcher for multi-session access, Ngrok tunneling, and Chrome Remote Desktop. The credential stealer targeted Chrome, Microsoft Edge, and Naver Whale login data, while Ngrok and remote-desktop tooling helped operators reach systems behind NAT. The activity fits Kimsuky’s broader pattern of spear-phishing with malicious documents or scripts and layering custom malware with legitimate remote-access utilities.