Cisco Talos attributes a campaign active since at least June 2021 to Kimsuky, targeting South Korean geopolitical, diplomatic, military, and aerospace research organizations. The attackers used malicious Blogspot pages reached from Office maldocs to stage beacons, file exfiltrators, and implant deployment scripts. Follow-on payloads included Gold Dragon/Brave Prince-derived modules for system information theft, keylogging, credential stealing, file injection, and reconnaissance. Talos cites code similarity, macro overlap, shared metadata, and infrastructure links to previous Kimsuky activity, including a known Kimsuky URL at eucie09111[.]myartsonline[.]com.