Securonix observed the DEEP#DRIVE campaign attributed to Kimsuky targeting South Korean businesses, government entities, and cryptocurrency users with Korean-language phishing lures disguised as work logs, insurance documents, and crypto-related files. The infection chain began with ZIP-delivered LNK files masquerading as Office or PDF documents, which launched obfuscated PowerShell, decoded and executed temporary scripts, and used scheduled tasks named ChromeUpdateTaskMachine for persistence. Dropbox hosted lure documents, PowerShell payloads, and follow-on components, while scripts such as system_first.ps1 collected IP address, OS, antivirus, and process information for exfiltration. The final payload path included downloading and in-memory execution of a Gzip-compressed .NET assembly, but short-lived Dropbox infrastructure limited deeper analysis. The campaign matters because it shows Kimsuky continuing to blend trusted cloud services, local-language lures, and PowerShell-heavy staging to evade conventional defenses.