ASEC reports that Kimsuky attacked a South Korean architectural firm’s Windows IIS web server, likely exploiting an unpatched or poorly managed server to run PowerShell through w3wp.exe. The attacker downloaded a Metasploit Meterpreter backdoor from 45.58.52[.]82 and then used Meterpreter to install an additional Go-based proxy malware. The malware was loaded as a DLL through regsvr32.exe, matching earlier Kimsuky tradecraft, while the newer Go stager and proxy suggest an attempt to evade detection. The proxy accepted IP and port arguments, used an “aPpLe” validation string, and appeared intended to enable later RDP access to the compromised system.