The source compares a Kimsuky HWP malware case with the earlier “KINU Expert Advisory Request.hwp” activity and shows that the exploit and shellcode remain largely the same while keys, C2, filenames, and mutexes changed. Shellcode injected into HimTrayIcon.exe decrypts and injects malware into userinit.exe, which steals system information and downloads additional payloads from lovelovelove.atwebpages.com paths. A later VMProtect-packed stage disguises itself under a misspelled Mozilla\Firefax directory, stores keylogging/process data in tader.wav, encrypts stolen information, and injects svchost.exe and iexplorer.exe for upload/download operations through a Daum email service. The report provides hashes, RC4 keys, mutex values, and the [email protected] account for hunting.