A suspected Kimsuky phishing operation used a Korean Army K-ICTC themed lure to target military, defense, diplomacy, and related research audiences. The victim-facing archive contained a convincing invitation PDF and a PDF-disguised LNK shortcut that downloaded an encoded VBE loader from 103.67.196.25, then used PowerShell, getmac-derived host identification, and an AppleSeed-style `type=apple` C2 parameter. Persistence was created through a `Chrome_Update` scheduled task running `wscript.exe /b ant.vbe` from `C:\Users\Public\Music`, with later commands delivered after an observation period. The second stage abused legitimate Chrome Remote Desktop components, a fixed PIN, and a CMSTPLUA UAC bypass script to establish covert remote access, showing a staged intrusion that blends script-based loading with legitimate remote administration tooling.