ENKI describes Kimsuky activity around KimJongRAT variants using phishing emails that impersonate South Korean public institutions, including the Ministry of Gender Equality and Family and the National Tax Service. The attack chain uses PHPMailer-delivered messages, redirected links, GitHub-hosted ZIP archives, decoy PDFs and malicious LNK, HTA, or document macro stages to launch mshta and pull follow-on payloads from URL shorteners and Google Drive. Later stages check Windows Defender state, decrypt AES- or RC4-protected payloads, execute sys.dll through rundll32, and collect system data, browser credentials and keys, cryptocurrency wallet data, Telegram and Discord artifacts, and Korean NPKI/GPKI certificates. The activity shows Kimsuky adapting KimJongRAT tradecraft with Korean-themed lures, commodity hosting, layered obfuscation, and credential theft against South Korean targets.