AhnLab observed AppleSeed malware being distributed against a maintenance contractor for a specific military unit, using a password-protected Excel file named to resemble an installation schedule for that unit. The source identifies AppleSeed as a backdoor mainly used by Kimsuky and notes that it can receive commands from a C2 server, download additional modules, and execute attacker-directed actions. The infection chain relied on enabling Excel macros, hiding the lure text after execution, and using mshta to download a follow-on script from attacker infrastructure. The script installed AppleSeed under %ProgramData%\Software\ControlSet\Service\ServiceScheduler.dll and launched it with regsvr32.exe, with IOCs including hime.dothome.co[.]kr and sign.dothome.co[.]kr.