K7 Labs analyzes a Kimsuky attack chain built from a ZIP archive containing a VBScript, a PowerShell script, and two encoded text files. The VBScript dynamically builds and runs a command that launches 1.ps1, which decodes 1.log, collects the BIOS serial number, creates a machine-specific temp directory, and aborts if it detects a virtual machine. The decoded PowerShell functions support system profiling, browser and extension data theft from Edge, Firefox, Chrome, and Naver Whale, crypto-wallet extension file collection, persistence, C2-driven download and file operations, and chunked HTTP upload of exfiltrated data. A later decoded 2.log component adds keylogging, clipboard monitoring, and window-title logging, giving the operator reconnaissance and credential-theft capabilities before further C2 commands are issued.