S2W analyzed a January 2025 phishing email that used a defense industry digital innovation seminar lure to deliver a malicious HWP document linked to Kimsuky Babyshark activity. The attachment embedded an OLE object that dropped files for persistence and contacted a C2 URL using the "comline" query pattern associated with prior Babyshark campaigns. The malware selectively delivered a final payload to specified targets, with earlier Babyshark cases showing QuasarRAT used for remote control and information theft.