360 Advanced Threat Research Institute attributes a recent South Korea-focused intrusion to APT-C-55/Kimsuky, delivered through a trojanized Bandizip installer that installs the legitimate Korean Bandizip binary while launching malicious components in the background. The infection chain uses regsvr32 to load a dropped DLL, mshta to fetch obfuscated VBScript from 67.217.62[.]222, staged scripts to collect host, network, antivirus, and file-path data, and hidden scheduled-task persistence under ProgramData. The final payload is a VMProtect-packed HappyDoor backdoor, ut_happy(x64).dll, which copies itself under AppData, stores configuration and C2 data in registry keys, and supports multiple information-stealing and remote-control functions. Reported infrastructure includes u.appw.p-e[.]kr, d.appz.p-e[.]kr, mrasis.n-e[.]kr, and 67.217.62[.]222, with hashes for the Bandizip-themed installer and related payloads. The activity matters because it shows Kimsuky continuing to refine social-engineering delivery and analysis-evasion around a known backdoor family used for espionage against Korean targets.