Yoroi analyzed a Kimsuky-attributed infection chain that began with a Windows screensaver-style .scr loader and delivered a second-stage DLL disguised with a .tmp.db extension. The malware copied itself as AutoUpdate.dll under a Windows Defender-themed path, set HKCU RunOnce persistence, and used a temporary batch file to remove the initial artifact while displaying a legitimate Korean CV-form HWP document as a decoy. AutoUpdate.dll injected components into explorer.exe using process enumeration, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread, helping the operation blend into a trusted process. The implant contacted suzuki.datastore.pe.hu every 15 minutes with multiple HTTP requests and user-agent values, sending compromised-host information back to the C2. The report ties the sample to Kimsuky based on similarities with previously documented TTPs while noting differences in embedded resources.