AhnLab describes a Kimsuky spearphishing case in which a link presented as an attachment led victims to a ZIP file containing a PIF dropper for the PebbleDash backdoor. The dropper installs PebbleDash under C:\ProgramData, opens a decoy Korean PDF, and the backdoor accepts attacker commands for process and file operations plus upload and download, giving operators control of the host. The report also links the environment to VBS downloader activity used with AppleSeed droppers, scheduled tasks that execute VBScript and regsvr32 payloads, AppleSeed installation under software-like paths, and Meterpreter logs on related systems. Representative indicators include hxxp://tools.macbook.kro[.]kr/update.php and hxxp://m.sharing.p-e[.]kr/index.php?query=me, along with MD5 hashes for PebbleDash droppers and VBS downloaders.