IGLOO’s first-half 2021 Kimsuky trend report documents repeated Korea-focused phishing and malware operations that used malicious documents, VBA or PowerShell logic, HWP-delivered DLL/VBS stages, and attacker-controlled web infrastructure to collect host data and upload it to C2. The cases include lures such as conference or survey materials, policy-committee lists, payment-request forms, and Korean-language organization themes, with delivery through Google Blog, OneDrive, and compromised or disposable domains. The excerpt lists many hashes and defanged URLs, but the operational pattern is more important than any single indicator: Kimsuky repeatedly collected PC/user information, created shortcuts or configuration files for execution, downloaded follow-on scripts or binaries, and used PHP endpoints for staging and exfiltration. This summary should be treated as a trend-level archive entry rather than a single-incident attribution beyond the source’s Kimsuky framing.