Kimsuky uses spear phishing emails with VBS or JavaScript files disguised as documents to install AppleSeed and, in the observed case, AlphaSeed on targeted systems. The lures vary by target, including government-style documents for diplomacy and defense, business forms for companies, and personal or shopping documents for individuals. The chain creates encrypted payloads under ProgramData, decrypts them with certutil, and runs DLL malware through PowerShell and regsvr32. AppleSeed provides backdoor, downloader, keylogging, screenshot, file collection, and C2 functions, while AlphaSeed is a Go malware family that uses ChromeDP and email-based C2 authentication through cookies.