AhnLab reported continued Kimsuky-related activity in early 2014 using malicious HWP documents against domestic Korean institutions after the 2013 Kimsuky operation. Two documents found in February and March exploited the same HWPTAG_PARA_LINE_SEG vulnerability, dropped DLL backdoors into temporary and system folders, registered services, and timestomped files to match the system calc.exe timestamp. The backdoors attempted to disable V3 and Windows firewall settings, collect system, file, process, and keystroke data, and exfiltrate through webmail accounts, free web hosting upload endpoints, or FTP infrastructure. The report also describes reuse of a TeamViewer 5.0.9104 remote-control module and changes in PDB paths and attacker mail accounts across variants. These details show sustained development of Kimsuky-associated tooling, infrastructure, and exfiltration methods targeting Korean organizations.