AhnLab tracks Larva-25004 as a Kimsuky-linked operation active since at least August 2023 against South Korean public enterprises, defense industry organizations, research institutes, and at least one job seeker of unknown nationality. The group uses spear-phishing with document-themed JSE, PIF, and SCR executables and also appears to have compromised an internal Duzon Bizbox Alpha messenger update server to replace the messenger binary and infect users during auto-update. Reported malware includes HttpSpy, Memload, HttpTroy, InfoStealer, NikiDoor, and proxy tooling, with some droppers signed using certificates attributed to DATASOLUTION, CJ Olive Networks, and Nexaweb. AhnLab notes a shift from HttpSpy to Memload as the final payload after 2025, large randomized file padding to vary hashes, packed variants that avoid virtual environments, and code/PDB clues suggesting a developer using the name Niki. The report also states that Lazarus-associated malware has appeared alongside this activity, but the primary tracking label in the excerpt is Kimsuky-linked Larva-25004.