S2W TALON analyzed leaked material distributed with Phrack’s “APT Down: The North Korea Files” and found evidence of operations against Korean government entities and domestic companies, including webmail-related source code, Ministry of Foreign Affairs-related files, GPKI documents and certificates, administrative cloud login logs, and phishing-email distribution logs. The report assesses that the actor called “KIM” in the leak is unlikely to be directly associated with Kimsuky and tracks the activity separately as UNSI-018. TALON notes limited overlap with Kimsuky-linked phishing infrastructure and email-open tracking via beacon images, but says the infrastructure timing, structure, use of evilgophish Apache configurations, and lack of evidence tying leaked GPKI material to Troll Stealer do not support a firm Kimsuky attribution. The leaked environment also showed extensive Chinese-language usage, Chinese platforms such as Baidu, CSDN, Freebuf, AcFun and Bilibili, Baidu Cloud access, and Chinese-authored comments and documents, making the dataset important for correcting over-attribution in DPRK-focused tracking.