QiAnXin attributed several captured malicious document samples to Kimsuky, describing Korean fee-payment lures that displayed decoy content while inducing victims to enable malicious VBA. The core macro monitored text input before downloading Base64-encoded data from 1213rt.atwebpages.com, writing a VBS script as %AppData%\Microsoft\desktop.ini, and creating a startup shortcut named Internet Explorer.lnk for persistence. The VBS then retrieved an embedded payload from a Blogspot page such as kimshan600000.blogspot.com/2021/07/1.html, adding layers to the download chain and complicating attribution. The reported final backdoor behavior focused on system reconnaissance, including Microsoft Office Excel version collection and exfiltration to attacker infrastructure.