Springtail, also identified as Kimsuky, targeted South Korean government entities with government-themed malspam using topics such as tax matters and policy around sex offenders. The campaign delivered malicious LNK attachments that downloaded and executed an HTA file to continue the infection chain. Additional payload stages included a ZIP archive containing encoded files, VBS scripts, and PowerShell scripts. The stated objectives included data theft, exfiltration, keylogging, and follow-on malicious activity, making the activity relevant to defenders monitoring DPRK-linked espionage against South Korean public-sector targets.