Cisco Talos investigated KevDroid after a reported possible Group 123 connection, but concluded the observed overlaps were too weak to establish a real link. The Android RAT variants stole device data such as contacts, SMS, call history, location, and phone-call recordings, with one variant attempting Android privilege escalation via CVE-2015-3636. The same infrastructure hosted Windows malware, including PubNubRAT, which used PubNub as command-and-control to receive orders, steal files, execute commands, kill processes, download files, and take screenshots. The Windows infection chain included a Korean-language RTF lure about Bitcoin and China that exploited CVE-2017-11882 to download and execute a hosted payload. The report matters for DPRK-focused tracking chiefly because it evaluates and rejects strong Group 123 attribution while documenting mobile and Windows espionage tooling targeting Korean users.