AhnLab linked an election-period malicious document campaign to Kimsuky, centered on Word documents that contacted saemaeul.mireene[.]com infrastructure previously associated with the group. The initial document contained election-related content but did not reveal it on standalone execution; the source says a second macro-enabled document reconstructed or unlocked the content only in specific conditions, suggesting targeted delivery. The macro chain embedded an edit-unlock password, modified and resaved the decoy document, sent user information to attacker infrastructure, and registered a VBS task to reconnect to configured network addresses every five minutes. AhnLab detected the malicious documents as XML/Dloader and Downloader/Doc.Generic.