Telsy analyzes a Kimsuky spear-phishing campaign that delivered a new AppleSeed backdoor variant. The activity is attributed to the North Korean-linked group also tracked as Velvet Chollima, Black Banshee, and Thallium, which commonly uses malicious email attachments for initial access and has targeted South Korean think tanks as well as organizations in the United States, Russia, and Europe. The AppleSeed sample shares persistence and module-activation behavior with previously reported versions, including the EstsoftAutoUpdate registry key and flag files under C:\ProgramData\Software\ESTsoft\Common\flags. Telsy highlights differences in command-and-control, including use of the public daum.net mail service and Curl rather than WinInet for email communications.