A Korean malware-analysis post tracks ongoing Kimsuky/Thallium activity using the GoldDragon/BravePrince cluster, noting a newer sample that keeps the usual daum-mail information-theft behavior while adding encoded DLL and API-name resolution. The author also describes a related information-stealer module that collects system, network, process, file-list, and browser credential data into an AppData working directory and appears designed to be launched by another component. A third case links the same encoded-string intelligence pivot to a .NET dropper that deploys privilege-elevation tooling, disables Windows Defender, installs a Quasar RAT-based payload, and persists through scheduled tasks or Run keys. Representative infrastructure and indicators include blog.daum[.]net/casalesmedia/pages/category, 222.122.79.232 on ports 8080 and 443, and hashes for the analyzed samples.