SecAI analyzes a Kimsuky XLS-based attack that uses a macro to decrypt and drop msload.exe under the user's Microsoft Templates directory before launching it with the parameter QCvt5676hZXbg. The malware branches execution based on parameters, copies itself as smss.exe, gathers host and session details, encrypts uploaded data in page, mode, and DATA fields, and communicates with C2 46.44.251.52:91 for remote command execution. The activity is described as part of a broader 2024 Kimsuky targeting pattern involving South Korean diplomatic, construction, and university-related lures. The source characterizes Kimsuky as a North Korean state-supported group focused on intelligence collection against South Korea and allied countries through phishing, watering-hole activity, phishing sites, and malware-laced documents.