ENKI analyzed recent DOCSWAP Android variants that used phishing websites, QR-code redirection, notification prompts, and delivery-themed decoys to lure mobile users into installing malicious APKs. The report attributes the activity to Kimsuky based on shared C&C infrastructure, Korean-language comments, overlap with Million OK-style phishing infrastructure, and related Naver and Kakao credential-harvesting sites. The SecDelivery.apk sample decrypts an embedded security.dat APK through a native library, registers com.delivery.security.MainService, and maintains execution with Android broadcast receivers for reboot and power events. Its RAT service connects to 27.102.137[.]181:50005, supports 57 commands, and records Accessibility Service events for keylogging, showing how the campaign combines mobile phishing, credential theft, and remote-control capabilities.