ThreatBook described Kimsuky activity targeting South Korean defense and security-related organizations over roughly six months with lures themed around the U.S.-South Korea summit, Ministry of National Defense bidding documents, and a fake KISA mobile security app. The Windows infection chains disguised malware as HWP documents or Microsoft-style components, used mshta.exe to retrieve remote scripts from infrastructure such as mail.kumb.cf and v*p*n.atooi.ga, and deployed espionage RAT components with persistence, remote shell, file transfer, keylogging, screen capture, file monitoring, and USB monitoring functions. The Android variant masqueraded as “KISA Mobile Security,” requested sensitive permissions, contacted app.at-me.ml, and collected SMS and file information. The report also linked several domains to 104.128.239.70 and noted Korean reporting that Kimsuky abused VPN access in the KAERI intrusion, while treating any Lazarus coordination as a suspected overlap rather than a confirmed attribution.