ASEC identified Larva-24005 as an operation related to Kimsuky after breach investigations involving exploitation of the BlueKeep RDP vulnerability, CVE-2019-0708. The activity targeted South Korean software, energy, and financial organizations and used systems involved in attacks against multiple countries, with phishing emails sent to victims in South Korea and Japan. After access, the operators used droppers to install MySpy and RDPWrap, changed RDP-related settings to maintain remote access, and deployed KimaLogger or RandomQuery keyloggers to capture user input. The report also notes use of spear-phishing, RDP access, Microsoft Office Equation Editor exploitation via CVE-2017-11882, RDP vulnerability scanners, and infrastructure using r-e.kr and kro.kr domains.