SecAI reported a 2024 Kimsuky campaign that used phishing websites to steal email credentials before sending follow-up phishing messages from more trusted accounts. The activity targeted South Korean diplomatic, construction, university, and security-themed victims with lures delivered as LNK, ISO, XLS, DOC, CHM, MSC, JS, and other Windows file formats. Embedded cmd, batch, VBS, JavaScript, and PowerShell stages downloaded, decrypted, or ran payloads that ultimately executed C2 commands. The report notes PHP-style URL patterns with meaningful parameters, date-like directory naming, Korean dynamic domains such as n-e.kr, p-e.kr, r-e.kr, o-r.kr, and kro.kr, and increasing use of free domains including site, store, online, me, and shop.