Kimsuky is reported deploying a five-stage GrimResource loader that begins with a Microsoft Management Console .msc file and ends with roughly 1MB of x86 shellcode executed in memory. The plugin.msc sample embeds an XSL Transform payload in the MMC XML StringTable, runs obfuscated JScript, forces .NET 4.0, deserializes a BinaryFormatter object through a SortedSet/TypeConfuseDelegate gadget chain, and uses XamlReader.Parse() to trigger XAML-based shellcode injection. The chain uses custom BUxBF decryption, split-alphabet Base64, XOR keys, reversed Base64 with padding, GZip-compressed shellcode, RW-to-RX memory protection changes, and runtime API resolution to evade multiple defensive layers. The reported infrastructure includes 14 C2 IP addresses across UCloud HK and DAOU Technology, three dynamic DNS providers, and a uniform Apache/PHP/OpenSSL stack that suggests automated provisioning.