AhnLab reports that Kimsuky has continued distributing PebbleDash, a backdoor previously associated with Lazarus/Hidden Cobra, against individual targets through spear-phishing emails carrying disguised LNK shortcut files. The infection chain uses the LNK file to run JavaScript and PowerShell, establish persistence through scheduled tasks and registry keys, and communicate with Dropbox and a TCP socket-based C2 channel to deploy PebbleDash, AsyncRAT, RDP tooling, and other utilities. The activity includes PowerShell-created advconf2.dll registered as a service, UAC bypass tooling using an AppInfo ALPC technique, and ForceCopy for data exfiltration. A notable change is Kimsuky’s move from open-source RDP Wrapper use toward directly modifying termsrv.dll to disable RDP authentication, supported by registry changes and ownership manipulation of the Windows system DLL. The report matters because it shows Kimsuky adapting post-compromise remote access and privilege-escalation methods while continuing to rely on document-themed LNK spear-phishing against individuals.