Antiy CERT reports a Kimsuky spear-phishing campaign targeting an important figure in South Korea's news industry, including a Daily NK representative, by impersonating a Korea Internet and Security Agency researcher. The lure used a password-protected Word document with malicious macros, with the attacker replying with the password to increase credibility and induce macro execution. The infrastructure chain relied on compromised BBS/forum sites where the actor uploaded webshells, mail-sending tools, scripts, and payloads to relay victim data and distribute malware. The follow-on payloads were assessed to collect system information, files, credentials, process lists, recent-document data, and keystrokes, matching Kimsuky's lightweight multi-stage scripting tradecraft.