QiAnXin attributes recent Endoor samples to Kimsuky, tracked internally as APT-Q-2, and notes the group’s historical focus on South Korean defense, education, energy, government, healthcare, and think-tank targets. The Go-based backdoor appears in both DLL form and an EXE loader that decrypts and memory-loads the same core Endoor code, then builds a victim UID from hostname, username, and admin status before enforcing single-instance execution with a UID-named lock file. Endoor communicates by POST with hxxp://june.drydate.p-e.kr:53/, encrypts and base64-encodes command traffic, and supports remote shell execution, directory and system discovery, upload/download, TCP connections, SOCKS5 proxying, hibernation, shell/codepage configuration, and self-deletion. The report highlights persistence via a scheduled task named "Windows Backup" in the EXE mode, a hardcoded self-delete path bug, GitHub-like path strings used as camouflage, and related infrastructure including 162.216.114.133, summer.cooldate.p-e.kr, and uni.oxford.p-e.kr.