SecAI analyzed a Kimsuky JSE sample that used obfuscated JavaScript to drop a JPG decoy and an encrypted PowerShell payload. The PowerShell stage decrypted embedded data into an executable file, launched it with a VMP-packed PE payload, and connected to the C2 domain pmlroma.kro.kr for remote-control activity. The vendor links this tooling to Kimsuky activity observed since 2024, including samples themed around the South Korean Embassy in China, a construction company invoice, and a South Korean university lecture. The excerpt describes Kimsuky as a North Korean state-supported actor targeting South Korea, Japan, and the United States through spear phishing, watering holes, and phishing sites to steal intelligence from government, security, pharmaceutical, energy, and education targets.