ASEC documents March 2025 distribution of the PebbleDash backdoor in activity it attributes to Kimsuky, noting that PebbleDash was originally named by CISA as Lazarus/Hidden Cobra malware but has recently appeared frequently in Kimsuky cases. The attack chain begins with spear-phishing that delivers a malicious LNK, which launches JavaScript through mshta.exe and then PowerShell. The PowerShell stage establishes persistence through scheduled tasks and Run keys, communicates with Dropbox and attacker C2 infrastructure, and deploys PebbleDash, AsyncRAT, patched RDP components, UAC-bypass tooling, and ForceCopy for data theft. The report highlights a shift from using RDP Wrapper toward directly patched termsrv.dll for terminal-service access.