Kimsuky distributed a malicious Word document masquerading as an application to confirm mutual intent to divorce, using macros to install QuasarRAT. When the user enabled content, the decoy displayed a legitimate-looking divorce form while AutoOpen macro logic contacted attacker-controlled infrastructure, dropped version.ini, runps.vbs and conf.ps1, and repeatedly downloaded additional payloads before launching QuasarRAT. ESRC linked the activity to a North Korea-backed APT Smoke Screen operation and noted detections such as Trojan.Downloader.DOC.Gen, Backdoor.MSIL.Quasar.gen and Trojan.PowerShell.Agent, with C2 details withheld because the server remained reachable.