Seqrite Labs links two South Korea-focused campaigns to Kimsuky, also known as Black Banshee, using government-themed PDF/LNK lures sent by email to government entities, local offices, and residential recipients. The infection chain begins with a malicious LNK that retrieves an obfuscated VBScript from external C2 infrastructure, drops a PDF and ZIP archive, and runs VBScript and PowerShell components hidden in files such as 1.vbs, 1.ps1, 1.log, and 2.log. The PowerShell stage collects the BIOS serial number, checks for virtualized environments, creates host-specific temporary storage, and supports data exfiltration, browser credential theft, cryptocurrency wallet file collection, persistence, and C2 communication. A decoded second log contains keylogging and clipboard-monitoring functionality, showing the campaign’s emphasis on credential and sensitive data theft from compromised South Korean systems.