A Kimsuky-linked EndClient RAT campaign targeted North Korean human-rights defenders after an initial victim’s Google and KakaoTalk accounts were compromised and then used in manual one-to-one conversations to push a StressClear.msi lure. The MSI was signed with a certificate tied to a Chinese company and bundled an AutoIT-based RAT with Korean banking authentication software, while a false language-pack error acted as decoy behavior. The dropper places AutoIt3.exe and an obfuscated AU3 script under Public\Music, creates persistence with a scheduled task named IoKlTr and a Startup shortcut named Smart_Web.lnk, and checks a global mutex before continuing. The RAT connects to 116[.]202[.]99[.]218:443, beacons system details using an endClient9688 JSON marker, and uses paired client/server markers for command and file transfer. The low detection rates reported for the dropper and payload make the campaign especially important for civil-society defenders and DPRK-focused threat tracking.