Proofpoint describes TA427, also tracked as Emerald Sleet, APT43, THALLIUM, or Kimsuky, running information-gathering campaigns against experts on US and South Korean foreign policy. Since 2023 the group has used benign conversation starters about nuclear disarmament, sanctions, and US-ROK policy to build rapport and solicit analysis rather than immediately sending malware. The actor impersonates think tanks, NGOs, media, academia, and government personas, using DMARC abuse, free email addresses, typosquatting, private-account spoofing, and web beacons to make outreach more convincing and profile targets. Malware such as ReconShark appears only rarely after longer exchanges, which makes the activity hard to treat as a conventional phishing campaign.