Nurilab analyzed a VBS RAT script assessed as a BabyShark payload from Kimsuky activity against South Korean university professors in July 2024. The infection path used spearphishing to Gmail and Daum accounts, fake Naver or university portal login pages for credential theft, and a Google Drive hosted Asan Institute forum PDF to trigger BabyShark execution. The script writes decoded PowerShell and VBS components under AppData and the Startup folder to persist across logins. Its command set can enumerate drives and files, download and upload paths, delete or rename content, create directories, execute files, compress data, and exfiltrate information to attacker infrastructure.