AhnLab analyzes Kimsuky APT attacks that use spear-phishing and social-engineering attachments disguised as documents related to North Korea and diplomacy. The report says victims are often individual users, but infection logs also show targeting of public institutions, domestic universities, IT and telecommunications firms, and construction companies. Initial malware masquerades as legitimate documents while installing additional backdoors, especially AppleSeed and PebbleDash; AppleSeed has appeared in many Kimsuky cases since around 2019, while PebbleDash is a NukeSped variant historically associated with Lazarus and recently observed alongside AppleSeed. Once established, the backdoors can receive attacker commands and install additional tools such as Meterpreter, HVNC/TinyNuke, TightVNC, RDP Wrapper, privilege-escalation components, credential stealers, Mimikatz, Chrome credential collection, and proxy malware.