A JavaScript file masquerading as a PDF used a Korean Foreign Ministry newsletter lure to display a benign document while decoding and launching hidden payloads. The infection chain embedded Base64 data, extracted a legitimate lure file and a UPX-packed x64 DLL, and ultimately produced an unpacked executable identified in the excerpt as a Kimsuky espionage tool. The malware searched local directories and USB drives for document types including HWP, PDF, DOC, XLS, PPT, and TXT, indicating a document-theft objective. Persistence was established through a RunOnce registry entry invoking regsvr32 against an ESTsoft-themed DLL path, and the infrastructure included texts.letterpaper.press along with multiple SHA-256 indicators.