SentinelLabs attributes an ongoing campaign to Kimsuky targeting North Korea-focused information services, human rights activists, and DPRK-defector support organizations. The campaign uses Korean phishing emails from Daum accounts and password-protected archives containing CHM lure files themed around difficulties faced by North Korean human rights organizations. The CHM files create and persist VBScript payloads, then contact C2 URLs such as file.com-port.space to retrieve a VBScript RandomQuery variant focused on system profiling, file enumeration, process listing, and exfiltration. RandomQuery collects hardware, operating system, Desktop, Documents, Favorites, Recent, Program Files, Downloads, and process data, Base64-encodes it, and posts it back to overlapping C2 infrastructure. The activity shows Kimsuky continuing to use CHM delivery and tailored reconnaissance tooling while registering deceptive domains under less common TLDs such as .online and .click.