QiAnXin analyzed a Kimsuky-attributed attack against South Korean targets that used COVID-19 response material tied to a local land-management office as the lure. The malware arrived as a PIF executable masquerading as a PDF, acting as a loader that decrypted API strings, wrote both decoy and payload files under C:\ProgramData\, and launched the next stage with a fixed parameter. The payload copied itself as smss.exe under a system32-named folder, configured registry-based startup persistence, and included a file-deletion routine that overwrote, renamed, and removed target files. QiAnXin linked the activity to Kimsuky through malware analysis and infrastructure overlap, including reuse of IP address 216.189.149.78 and the domain movie.youtoboo.kro.kr.