AhnLab reports that Kimsuky-linked malware was distributed as a compressed archive containing a readme file and a .NET executable disguised as a Korean HWP document by using a document icon and padded filename spacing. When run, the dropper decodes an embedded Base64 PowerShell command, writes update.vbs under %APPDATA%, and displays a decoy error message using North Korean-style wording to reduce user suspicion. The decoded script downloads additional code from well-story.co.kr paths and executes scripts associated with user-information theft and keylogging, matching earlier Kimsuky malware behavior documented by AhnLab. Representative artifacts include MD5 hashes such as 8133c5f663f89b01b30a052749b5a988 and the URL hxxp://well-story.co[.]kr/adm/inc/js/list.php?query=1.