S2W analyzed DocSwap, an Android malware sample first seen in January 2025 that disguised itself as a document viewing authentication app and appeared aimed at South Korean mobile users based on Korean-language strings and the app lure. The malware decrypts an embedded security.db payload with XOR, loads an internal DEX file, requests broad permissions, and abuses accessibility services for keylogging while maintaining persistence through a foreground service and boot-triggered execution. Its command set supports information theft and device control, including file transfer, camera and microphone recording, call and contact collection, SMS access, and exfiltration over socket communication. The hardcoded C2 was 204.12.253[.]10:6834, and the same infrastructure showed a CoinSwap phishing page before later displaying a Naver favicon and “Million OK !!!!,” a trait S2W notes was previously seen on phishing servers targeting Naver accounts linked to Kimsuky. S2W tracks North Korea-linked unidentified groups as puNK and designated the DocSwap operators as puNK-004.