A malware analysis write-up describes a Kimsuky variant targeting South Korea with a resume-themed executable named like an HWP document, “resume form.hwp.scr,” built on 27 February 2020. Execution replaces the initial SCR with a decoy HWP resume form while dropping DLL/BAT components and an AutoUpdate.dll executable that performs the main malicious activity. The malware attempts C2 communication with suzuki.datastore.pe.hu at 45.13.135.103, downloads additional files with host metadata in URL parameters, registers AutoUpdate.dll for startup through regsvr32, and injects malicious code into explorer.exe. The behavior indicates a lure-driven Kimsuky infection chain focused on persistence, payload retrieval, and process injection after deceiving the user with a legitimate-looking resume document.