AhnLab observed a suspected Kimsuky APT operation targeting a specific South Korean company, likely in precision manufacturing based on the decoy document. The lure used a VBS file named to appear as a PDF receipt for a SME technology innovation development project, relying on Windows hiding known file extensions to mislead users. When executed, the script opened a legitimate PDF while dropping and running a Base64-encoded DLL under C:\ProgramData. The malware used regsvr32.exe execution similar to prior AppleSeed activity, communicated with kro.kr C2 infrastructure, and supported host-reconnaissance commands such as tasklist, net user, and systeminfo. AhnLab detected the VBS as Dropper/VBS.Akdoor and the final backdoor DLL as Trojan/Win.Kimsuky.C5025515.