ThreatConnect identified an additional malware sample likely associated with Kimsuky, a DPRK-based group, because its behavior matched earlier AutoUpdate-linked activity. The sample shared a string deobfuscation routine and specific URL-parameter behavior with a previously reported downloader. It was uploaded to VirusTotal as bmail-security-check.scr, and its embedded command-and-control server was security-confirm.bmail-org[.]com, which ThreatConnect observed as live on June 18, 2020. The finding helps defenders connect related Kimsuky malware variants and prioritize detections around downloader behavior, obfuscated C2 configuration, and suspicious security-themed lure filenames.