SecAI analyzed a Kimsuky DOCX infection chain in which the document retrieves a malicious DOTM template from ms-work.com-info.store and runs its macro. The macro decrypts and drops a DLL, then calls an exported function that downloads another DLL payload as m.dll. Historical analysis cited by the vendor says the later payload can steal browser data, certificates, WinSCP accounts, and Thunderbird account information before upload. SecAI ties the activity to Kimsuky campaigns observed in 2024 against South Korean diplomatic, construction, and university-themed targets.