ASEC reported that Kimsuky exploited CVE-2017-11882 in the MS Office Equation Editor to launch mshta and run a malicious script that distributed a keylogger. The script connected to an error.php page that displayed a fake "Not Found" message while downloading additional malware from the C2 with PowerShell. Follow-on code collected system and IP information, could fetch the keylogger with a separate C2 query, and wrote keylogging and clipboard data to desktop.ini.bak under Users\Public\Music. The keylogger used a Global\AlreadyRunning19122345 mutex, exfiltrated collected data to the C2 at actor-controlled intervals, and the report lists related VBS, PowerShell downloader, keylogger detections, and sample hashes.