ASEC reports that Kimsuky distributed a malicious JSE file disguised as an import declaration to South Korean research institutes. The dropper contains obfuscated PowerShell, a Base64-encoded Nikidoor backdoor, and a decoy PDF that displays victim-specific content while the malware runs in the background. The backdoor is written into ProgramData, executed through rundll32.exe, copied as IconCache.db for persistence, and registered as a scheduled task named iconcache. It collects anti-malware, network, host, user, and OS information with commands such as wmic and ipconfig, encodes command output, and communicates with rscnode.dothome.co.kr endpoints for upload and command execution.