ASEC observed Kimsuky hiding malware with Windows Alternate Data Streams (ADS). The infection begins with VBScript embedded in an HTML file and functions as an infostealer that collects directory and recent-file information before decoding a payload to C:\ProgramData\Uso2. Persistence is established through a scheduled task that repeatedly runs a script which contacts C2 and executes additional scripts, while the file is stored as .Uso2Config.conf:honeyT so normal directory listings show a zero-byte host file. ASEC identifies the activity as Downloader/VBS.Kimsuky.S1997 and cites representative indicators including zetaros.000webhostapp[.]com.