Interlab analyzed a targeted email attack against a journalist covering Asian geopolitics that delivered a malicious LNK file and a decoy DOCX, with loose attribution to Kimsuky based on initial-vector and code similarities. Execution launched an obfuscated PowerShell chain that extracted and ran embedded content, created a VBS script, and used curl to download AutoIT3 and a packed AutoIT script from a compromised WordPress site. The AutoIT script performed process hollowing into Explorer.exe and injected a newly named SuperBear RAT. SuperBear connected to hironchk.com at 89.117.139.230 and supported process and system-data exfiltration, shell-command execution, and DLL download and execution. The activity matters because it shows a civil-society targeting chain using open-source AutoIT tooling and a novel RAT while the report cautions that infrastructure overlap with Kimsuky has not been observed.