360 Advanced Threat Research Institute analyzes a RandomQuery espionage campaign attributed to APT-C-55, also known as Kimsuky. The attack begins with phishing emails that deliver a fake HTML file and RAR archive containing an LNK shortcut and decoy document, then uses VBS and PowerShell to pull additional scripts from attacker paths such as list.php and lib.php. The malware collects system details, running processes, recent Word files, directory listings, antivirus status, and browser data from Chrome, Edge, and Naver Whale, then encrypts and uploads the results to show.php. The focus on Naver Whale, shared infrastructure with earlier reporting, and the multi-stage information stealing chain support the source's Kimsuky attribution and Korean targeting assessment.