AhnLab reports that Kimsuky has used LNK-based spear-phishing to install PowerShell malware and maintain execution through scheduled VBS scripts. The activity downloads additional payloads, commonly including RDP Wrapper, to enable remote control of compromised systems, create backdoor accounts, and support attacker access through RDP. The report also notes use of custom proxy malware and recent PebbleDash activity, tying the campaign to espionage-focused targeting of defense, media, diplomatic, government, and academic organizations.