AhnLab observed Kimsuky using xRAT, an open-source Quasar RAT variant, alongside a Gold Dragon variant on an infected system in January 2022. The installer downloaded a GZip-compressed Gold Dragon payload from attacker infrastructure, unpacked it into the temp directory, and executed it with rundll32.exe before establishing persistence through an autorun registry key. The Gold Dragon variant reused known process-hollowing behavior against processes such as iexplore.exe and svchost.exe, but lacked earlier built-in system reconnaissance commands, suggesting that information theft had been modularized. The attacker then deployed cp1093.exe to run xRAT via process hollowing into a copied powershell_ise.exe process under C:\ProgramData\. Reported infrastructure and artifacts included sk5621.com.co, 45.77.71.50:8082, installer_sk5621.com.co.exe, glu32.dll, cp1093.exe, and an uninstall tool used to remove prior traces.