ENKI analyzed newer DOCSWAP Android malware samples distributed through phishing pages that used delivery-service themes, mobile-only redirects, QR codes, and APK installation prompts to push victims onto smartphones. The malicious SecDelivery.apk decrypted an embedded security.dat APK with a newly added native routine, registered com.delivery.security.MainService, and used fake OTP and delivery-tracking screens to conceal execution. The loaded service persisted after reboot and power events, communicated with 27.102.137[.]181:50005 using compressed payloads, supported 57 RAT commands, and included accessibility-service keylogging that captured app metadata, event text, timestamps, and icons. ENKI ties the activity to Kimsuky through shared C&C infrastructure, Korean-language comments and errors, Million OK infrastructure markers, and Naver and Kakao proxy-style phishing pages that harvested credentials.